DSA2 and recipient preferences

David Shaw dshaw at jabberwocky.com
Sun Jun 4 03:25:03 CEST 2006


On Sun, Jun 04, 2006 at 10:28:17AM +0930, Alphax wrote:
> David Shaw wrote:
> > On Sat, Jun 03, 2006 at 10:33:10PM +0200, Qed wrote:
> >> Playing with DSA2 keys(gnupg 1.4.4-svn4149) I've noticed a potentially
> >> problematic behaviour when mixing old and new keys.
> >>
> >> Suppose you have three keys:
> >> # <mybigDSA2> is your key and is a 3072DSA(q=256)
> >> # <recentKEY> is a key that has the following digest prefs: SHA1,
> >> SHA256, RIPEMD160
> >> # <oldKEY> is a key with the following(rather common) digest prefs:
> >> SHA1, RIPEMD160
> >> and you have personal-digest-preferences "H10 H9 H8 H3 H2" in your
> >> gpg.conf.
> >>
> >> with "gpg -u <mybigDSA2> -s -e --encrypt-to <mybigDSA2> -r <recentKEY>"
> >> we obtain a DSA/SHA256 signature, correct.
> >>
> >> with "gpg -u <mybigDSA2> -s -e --encrypt-to <mybigDSA2> -r <oldKEY>"
> >> we obtain a DSA/SHA512(truncated to 256bits) signature without ANY warning.
> >>
> >> with "gpg -u <mybigDSA2> -s -e --encrypt-to <mybigDSA2> -r <recentKEY>
> >> -r <oldKEY>"
> >> again we obtain a DSA/SHA512 sig without warnings, thus violating the
> >> preferences of both recipients.
> > 
> > Not a bug, just a no-way-out situation.  You told GPG to sign using a
> > q=256 key, so the hash has to be 256 bits or larger.  At the same
> > time, you told GPG that it had to use either SHA1 or RIPEMD160, both
> > of which are 160 bits.  In the case where GPG simply cannot come up
> > with a hash that pleases everyone, it goes with what the signing key
> > is capable of (i.e. 256 or larger) joined with your
> > personal-digest-prefs.  Thus it chose SHA512: larger than 256 bits so
> > the signing key was happy, and 512 because you listed it first.
> > 
> > I sympathize about the desire for a warning message here, but remember
> > that this would mean a warning message for almost every signature made
> > with a DSA2 key.  Any time you have a DSA2 key signing and encrypting
> > to an older key without SHA256 (which are a significant majority of
> > keys at this point) you would get a warning.  In such a situation,
> > warnings become meaningless.
> <snip>
> 
> How many people genuinely can't handle SHA256? Only pre-PGP 8 users?

Yes, and pre-GnuPG 1.4 users as well.

However, the problem in this particular case is not so much that they
can't handle SHA256, it's that their key may not have a preference for
SHA256.  It's also more than just SHA256 support - if the recipient
can't handle DSA2 signatures, then it doesn't matter if they have
SHA256 or not.  At the moment, the only implementation that is
confirmed to work with DSA2 signatures is GPG 1.4.3.

David



More information about the Gnupg-devel mailing list