[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Release file changes

On Mon, Feb 21, 2011 at 09:13:51PM +0100, Joerg Jaspert wrote:
> Care to make a point for the gpg stuff around it within bug
> #612657?

Gladly! Restating and Cc'ing...

While I agree that moving away from SHA-1 is necessary, SHA-512 is
not part of the compatibility set according to the gpg(1) manpage
and so may be hard for users of other OpenPGP implementations to
validate:

[...]
> > INTEROPERABILITY
> > 
> > GnuPG tries to be a very flexible implementation of the OpenPGP
> > standard. In particular, GnuPG implements many of the optional
> > parts of the standard, such as the SHA-512 hash, and the ZLIB
> > and BZIP2 compression algorithms. It is important to be aware
> > that not all OpenPGP programs implement these optional
> > algorithms and that by forcing their use via the --cipher-algo,
> > --digest-algo, --cert-digest-algo, or --compress-algo options in
> > GnuPG, it is possible to create a perfectly valid OpenPGP
> > message, but one that cannot be read by the intended recipient.
> > 
> > There are dozens of variations of OpenPGP programs available,
> > and each supports a slightly different subset of these optional
> > algorithms. For example, until recently, no (unhacked) version
> > of PGP supported the BLOWFISH cipher algorithm. A message using
> > BLOWFISH simply could not be read by a PGP user. By default,
> > GnuPG uses the standard OpenPGP preferences system that will
> > always do the right thing and create messages that are usable by
> > all recipients, regardless of which OpenPGP program they use.
> > Only override this safe default if you really know what you are
> > doing.
> > 
> > If you absolutely must override the safe default, or if the
> > preferences on a given key are invalid for some reason, you are
> > far better off using the --pgp6, --pgp7, or --pgp8 options.
> > These options are safe as they do not force any particular
> > algorithms in violation of OpenPGP, but rather reduce the
> > available algorithms to a "PGP-safe" list.
[...]

While it seems apparent that PGP 8 or older (and some other
compatible clients) will support SHA-256 but not SHA-512, I couldn't
find anything to back up the implication that one of them is
required by "the OpenPGP standard" while the other is optional. Both
are unmentioned in RFC 2440, and both are mentioned equally in RFC
4880. I'm guessing there were some intermediate standards in the 9
years between them where this would have been the case, but that
situation doesn't appear to have made it into an IETF RFC at least.

If it's only intended that modern implementations backending our
tools are going to need to validate the signatures and we don't
expect end users to do this themselves on other platforms, then I
don't suppose it's much of a concern but thought it worth mentioning
nonetheless.
-- 
{ IRL(Jeremy_Stanley); WWW(http://fungi.yuggoth.org/); PGP(43495829);
WHOIS(STANL3-ARIN); SMTP(fungi@yuggoth.org); FINGER(fungi@yuggoth.org);
MUD(kinrui@katarsis.mudpy.org:6669); IRC(fungi@irc.yuggoth.org#ccl);
ICQ(114362511); YAHOO(crawlingchaoslabs); AIM(dreadazathoth); }
Reply to: