On 06/11/2009 01:40 PM, Daniel Kahn Gillmor wrote: > However, once such an attack exists, the responsible course of action > will be to promptly deprecate all keys that rely on SHA1 (in > self-signatures, etc). Before this gets misinterpreted, let me clarify: i understand that pre-existing self-signatures won't become inherently less-trustworthy in the event that the digest algorithm they're based on has a practical flaw in its collision-resistance. However, there's no cryptographic way to distinguish between pre-existing self-signatures (e.g. stuff you already had a hard copy of on your local machine before an attack was developed by someone elsewhere) and new forged signatures that have been forged to look old. This suggests that from a systems infrastructure point of view, it's simplest and safest to consider suspect *all* signatures made over a digest with significantly weakened collision-resistance. This includes self-signatures, unfortunately, and the keys which rely on them. --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature