[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [openpgp] New fingerprint: to v5 or not to v5

Hi Werner,

On 17/09/2015 19:41 pm, Werner Koch wrote:
I'd like to get opinions on one specific aspect of a new fingerprint
format in 4880bis.

In the past we bound the fingerprint format to the key packet version:
v3 keys used MD5 and v4 keys SHA-1 fingerprints.  This gained us the
benefit of having a bijective connection between fingerprint and key.

I'm hugely on that side. I'll always vote for that. I even staked my rep on it :)


Which came directly from the experience of hacking PGP & OpenPGP in Perl/Java as part of Cryptix. The tears, the fears, the costs.

So: the only choice for me is which hash you pick for v5. If you want another one, start planning for v6.

For X.509 and ssh (OpenSSH), there has always been an uncertainty which
fingerprint to use because there is no well established standard for it.
For a long time MD5 was used but then some users switched to SHA-1, and
meanwhile SHA-256 is also seen more often.  These fingerprint formats
can easily be distinguished by their length and thus the format itself
is not a problem.  However, if you ask users to verify the fingerprint
of a certificate and you given them SHA-1 but they have only access to
the MD5 fingerprint things starts to get wrong.  Complicated (human)
reasoning about the identity of a certificate needs to be done.

With OpenPGP is is easier: The specs say that a key is described by one
and only one fingerprint.  There is no way to assign a different
fingerprint to the the same key.

If we want to introduce a, say, SHA-256 fingerprint, the straightforward
way is to define a v5 key packet format which will be identical to the
v4 format with the exception of the packet version number (and maybe
rules on what algorithms to use with a v5 key) [1].

Such a v5 format also means that it is not possible to switch to the new
fingerprint format for existing v4 keys.  The v4 keys would continue to
use SHA-1 fingerprints.


Some people claim that a SHA-1 fingerprint might soon be problematic due
to collision attacks.  If we assume that this is indeed the case, the
question is whether switching to SHA-256 for the very same key does
actually help: The mix of different fingerprints for the same key will
lead to the same confusion we have seen with X.509 and ssh.  Further, if
there is a need to switch to a stronger fingerprint format for the same
key, should the user not also assume that the use of the key has already
been compromised and it is time to create a new key?

The message is clear to me:  "Start upgrading to v5."

Put your energy in the future.  Put your users' energy into the future...

Given that we are expecting to soon switch from RSA to ECC for improved
security and that the current base of OpenPGP implementations supporting
ECC is quite small, I would recommend not to allow a second fingerprint
format for v4 keys but to bind a new fingerprint format to a v5 key
packet version.



[1] I recently talked to the guy who asked a long time ago for a hard
expiration time in a future key packet format.  He is not anymore
interested in this and thus other technical changes to the key packet
format a not needed.

iang, who not everyone agrees with...

openpgp mailing list