Re: Regarding ideas to replace gpgv with sqv

To: Julian Andres Klode <jak@debian.org>
Cc: "Neal H. Walfield" <neal@walfield.org>, deity@lists.debian.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: Re: Regarding ideas to replace gpgv with sqv
From: Justus Winter <justus@sequoia-pgp.org>
Date: Sat, 06 Feb 2021 11:59:52 +0100
Message-id: <[🔎] 87h7mpjwbb.fsf@europ.lan>
In-reply-to: <[🔎] 20210205222836.GA374099@debian.org>
References: <20210128111151.GA1549690@debian.org> <87im7d5khd.wl-neal@walfield.org> <[🔎] 20210202133757.GA2796175@debian.org> <[🔎] 871rdy62yp.wl-neal@walfield.org> <[🔎] 20210202155655.GA2930139@debian.org> <[🔎] 20210205222836.GA374099@debian.org>

Julian Andres Klode <jak@debian.org> writes:

> On Tue, Feb 02, 2021 at 04:12:19PM +0100, Julian Andres Klode wrote:
>
>> [...] issues like the inability to deprecate MD5 or SHA1 for ages.

Are you absolutely sure that this is the metric by which you want to
judge protocols?

> and a proof of concept at
>
> https://gist.github.com/julian-klode/4514ce39d3dc62647b502e5a8cf6a3ef

https://gist.github.com/julian-klode/4514ce39d3dc62647b502e5a8cf6a3ef#file-inrelease-L10
https://gist.github.com/julian-klode/4514ce39d3dc62647b502e5a8cf6a3ef#file-inrelease-L927
https://cdimage.debian.org/debian-cd/current-live/amd64/bt-hybrid/MD5SUMS.sign
https://cdimage.debian.org/debian-cd/current-live/amd64/bt-hybrid/SHA1SUMS.sign
https://releases.ubuntu.com/bionic/MD5SUMS-metalink.gpg

In all seriousness, of course OpenPGP has deprecated these hashes (MD5:
[0], SHA1: [1]), and sane implementations reject signatures based on
them (MD5: [2], SHA1: [3]).

0: https://tools.ietf.org/html/rfc4880#section-9.4
1: https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-08#section-9.5
2: https://tests.sequoia-pgp.org/#Detached_Sign-Verify_roundtrip_with_key__Bob___MD5
3: https://tests.sequoia-pgp.org/#Detached_Sign-Verify_roundtrip_with_key__Bob___SHA1

Cheers,
Justus

Reply to:

Follow-Ups:
- Re: Regarding ideas to replace gpgv with sqv
  - From: Julian Andres Klode <jak@debian.org>

References:
- Re: Regarding ideas to replace gpgv with sqv
  - From: Julian Andres Klode <jak@debian.org>
- Re: Regarding ideas to replace gpgv with sqv
  - From: "Neal H. Walfield" <neal@walfield.org>
- Re: Regarding ideas to replace gpgv with sqv
  - From: Julian Andres Klode <jak@debian.org>
- Re: Regarding ideas to replace gpgv with sqv
  - From: Julian Andres Klode <jak@debian.org>

Prev by Date: Re: Regarding ideas to replace gpgv with sqv
Next by Date: Re: Regarding ideas to replace gpgv with sqv
Previous by thread: Re: Regarding ideas to replace gpgv with sqv
Next by thread: Re: Regarding ideas to replace gpgv with sqv
Index(es):
- Date
- Thread