[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SHA-1 broken

To: aboietf@xxxxxxxxxxxxxxx
Subject: Re: SHA-1 broken
From: Werner Koch <wk@xxxxxxxxx>
Date: Fri, 18 Feb 2005 17:43:29 +0100
Cc: ietf-openpgp@xxxxxxx
In-reply-to: <E1D2A24-0007Wa-00@xxxxxxxxxxxxxxxxxxxxxxxx> (aboietf@xxxxxxxxxxxxxxx's message of "Fri, 18 Feb 2005 16:27:04 +0100")
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
Openpgp: id=5B0358A2; url=finger:wk@xxxxxxxxxxx
Organisation: g10 Code GmbH
References: <E1D2A24-0007Wa-00@xxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx
User-agent: Gnus/5.1007 (Gnus v5.10.7) Emacs/21.3 (gnu/linux)

On Fri, 18 Feb 2005 16:27:04 +0100, aboietf  said:

> 3 of the newspaper mailing lists I am on (IIRC, it was on the Heise
> Newsticker, the PC WELT newslist and the "focus.de"-newsreport).

Come on, not even semi-professionals would take PC WELT or that
general new magazine (focus) seriously. 

> Hmh - for GnuPG the article may not have been a problem as it clearly
> stated that end users doing manual decryption are _not_ susceptible to
> the attack.

GnuPG is used in many gateways and AFAIK you are also using it.

> So the article contains clear statements that crypto gateways
> which use OpenPGP and do automatic decryption, are susceptible to
                                                     ^^^^^^^^^^^
                                                     !!!!!!!!!!!
> the attack (and thus "broken").

> Aside from costing me time to explain the facts to every concerned
> customer, this situation is not very nice for our company. We

That is what service is about; explain your clients whether this is a
problem for them or not.

> if Jon writes that the OpenPGP protocol is going to be changed due to
> a discovery, than this means to a journalist that the discovery must
> be "a really important security flaw or else no one would bother to

Better to tell people about potential weaknesses than to shift them
under the carpet.  And well, from a commercial POT you get free
advertising due to such things.  There is even no competitor who does
it better - so why bother?

Anyway, such political or economic discussion is IMHO out of scope for
the WG. Feel free to use gnupg-users@ or similar to continue.

Shalom-Salam,

   Werner

References:
- Re: SHA-1 broken
  - From: aboietf

Prev by Date: Re: Hash Collision Shield (subpacket def)
Next by Date: Re: Mandatory Algorithm Changes?
Previous by thread: Re: SHA-1 broken
Next by thread: Hash Collision Shield (subpacket def)
Index(es):
- Date
- Thread