[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SHA-1 broken

To: ietf-openpgp@xxxxxxx
Subject: Re: SHA-1 broken
From: David Shaw <dshaw@xxxxxxxxxxxxxxx>
Date: Thu, 17 Feb 2005 13:36:38 -0500
In-reply-to: <4214B1C9.9070101@xxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
Mail-followup-to: ietf-openpgp@xxxxxxx
Openpgp: id=99242560; url=http://www.jabberwocky.com/david/keys.asc
References: <200502170750.53386@xxxxxxxxxxxxxxxxxxxxxxx> <slrnd18pc8.q9.lutz@xxxxxxxxxxxxxxxxxxx> <87vf8rlbbm.fsf@xxxxxxxxxxxxxxxxxxxxx> <421494F0.3060100@xxxxxxxxxxxxx> <20050217140010.GN24504@xxxxxxxxxxxxxxx> <4214B1C9.9070101@xxxxxxxxxxxxx>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx
User-agent: Mutt/1.5.8i

On Thu, Feb 17, 2005 at 03:01:29PM +0000, Ian G wrote:
> 
> David Shaw wrote:
> 
> >Rather than trying to jury-rig something together to allow using other
> >hashes, I think I would rather just declare a V5 key format (which can
> >be essentially the same as V4), which uses a different hash.  Users
> >can continue using V4 keys as long as they desire, and developers will
> >have time to add support for V5 so it's ready when it is needed.  This
> >ties in neatly with other things recently discussed here : for
> >example, a V5 key could be said to have AES as the default algorithm.
> > 
> >
> 
> Having now read the "note" that the Shandong
> team distributed, I'm less inclined to think this
> is the end of the world.  See my blog for some
> snippets.
> 
> Declaring a need for a V5 key makes a lot of
> sense, if we believe that we can survive that
> long.  However, the first thing would be that
> I'd say a redesign of the key structure would
> be better than just a minor change to one
> element.  I don't think it's worth carring the
> costs of an entire new key structure in code
> without making it worth carrying on for the
> next N decades.

We're much in agreement, though I don't forsee any key version making
it much beyond 10-15 years.  The technology changes, and there is no
easy way to get around that.  V4 keys have lasted for around 7-8 years
now, and will likely hang on for years to come; that's a pretty good
run.  I think designing a V5 key that will last much longer than that
is not possible without a crystal ball.  The best we can do is to
design it to last as long as possible, and know that someday we'll be
making a V6 key.

My main argument for a V5 key is that doing patch work on V4 has the
potential to split the installed base into "old V4" and "new V4".
Rather than end up like that, just call "new V4" "V5" instead.  It is
also an opportunity to fix the handful of little details that bug
people about V4: the default cipher can be AES instead of 3DES.  The
key expiration dates can be hard or soft (not just soft as in V4).
And so on.

I don't know that this should necessarily be in 2440bis, though, or
2440bis may never be released.

David

Follow-Ups:
- Re: SHA-1 broken
  - From: Ian G
- Re: SHA-1 broken
  - From: Werner Koch

References:
- SHA-1 broken
  - From: Konrad Rosenbaum
- Re: SHA-1 broken
  - From: Lutz Donnerhacke
- Re: SHA-1 broken
  - From: Werner Koch
- Re: SHA-1 broken
  - From: Ian G
- Re: SHA-1 broken
  - From: David Shaw
- Re: SHA-1 broken
  - From: Ian G

Prev by Date: Re: Hash Collision Shield (subpacket def)
Next by Date: Re: SHA-1 broken
Previous by thread: Re: SHA-1 broken
Next by thread: Re: SHA-1 broken
Index(es):
- Date
- Thread