[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New results against SHA-1

On 05/04/2009 01:38 PM, Werner Koch wrote:
> Using a number (2) and, say, a dot as a prefix would be a better choice.
> We use algorithnm numbers anyway and OpenPGP users are used tp spell a
> large row of hex digits; we would only confuse them with an S and an H..

ok, that works for me.  would the prefix be in hex or decimal?  for
example, would an SHA512 fingerprint look like



Ugh.  that's horrifically long either way.  Is a base64 encoding worth
considering?  it would shave off a third of the length, but it seems
like it would introduce significant ambiguity (0 vs O, A vs a, etc)

>>  e) allow injection of arbitrary key material at the head of signatures
>> to allow signers to to avoid a chosen-prefix attack?  This would make it
>> significantly more difficult to predict the hash that someone will sign,
> and gives more bandwidth for a subliminal channel...

True, but some room for the subliminal channel already exists (e.g.
notations can be injected in the signed material).  This would simply
allow signers to better control what they actually sign, rather than
being compelled into signing a given text.  Daniel Franke's recent
message on gnupg-devel about this is interesting:


Another approach would be to formally prefer digest algorithms that do
not exhibit the same single-pass behavior of SHA-1 -- is that feasible?

>>  f) explicit introduction of new hashes/ciphers/asymmetric algorithms?
> We should defer such a discussion until there are semi final results
> from the SHA-3 contest.

SHA-3 finalizes in the end of 2012, though first-round candidates have
already been selected.  Third quarter of 2010 should have finalists


Which phase of the timeline would be sufficient for you?

> Right, we should re-establish the WG to no rely on I-Ds by individuals.

So what's the process to do this?


Attachment: signature.asc
Description: OpenPGP digital signature