SHA1 being used despite public key preferences

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Oct 20 22:11:03 CEST 2010


On 10/20/2010 02:52 PM, David Shaw wrote:
> GnuPG itself defaulted to "RIPEMD/160 SHA-1" when generating keys.  The surprise was from those people who hadn't changed anything on their key - one day they were using SHA-1, then after upgrading GnuPG to the version that actually made use of the hash preferences, they would suddenly find themselves using RIPEMD/160.

If it's a key that people had been using already, then upgrading gpg
wouldn't affect their key's published preferences -- they'd have to
manually adjust that themselves.

So it sounds to me like you're saying people were surprised that they
were suddenly respecting *other* people's stated preferences for digest
algorithms that their OpenPGP implementation happens to support.

That doesn't seem too bad to me.  I'd call that a featureful upgrade :)

> [dkg wrote:]
>> I personally think that the --personal-digest-preferences should default
>> to the strongest supported algorithm:
>>
>> SHA512 SHA384 SHA256 SHA224 SHA1
>>
>> The current --default-preference-list defaults for digest algorithms are:
>>
>> SHA256 SHA1 SHA384 SHA512 SHA224
> 
> Isn't this sort of saying one thing with default-preference-list ("these are our ranked ordering of hashes..."), and then saying something else with personal-digest-preferences ("...but ignore that ranking and use this ranking instead") ?

let me see if i've got this right:

default-preference-list determines what the stated preference should be,
which is published in the self-sig on the user's own key.  That is, it's
for other people who want to sign things for me to verify.  For example,
on my key, it answers the question "what digest would dkg prefer people
to use when sending him signed mail?"

personal-digest-preferences determines what digests the *user* would
prefer to use.  In my own GnuPG configuration, it says "which digests
would i prefer to make signatures over?"

The choice of a digest for any particular signature takes into account
the published preferences of the recipients, along with the
--personal-digest-preferences of the signer.

I personally have mine set to the same thing -- that is, i prefer to
receive signatures made with stronger digests, and i prefer to *make*
signatures with stronger digests.

I think that's reasonable.

However, GnuPG's current --default-preference-list says "i prefer to
receive signatures made with SHA1 over signatures made with SHA512 (or
SHA384 or SHA224)".  I think this is a mistake -- if the signing party
for whatever reason prefers not to use SHA256, we are asking them to
fall back to a known-weaker algorithm, even if they have a
known-stronger algorithm available.

It would likewise be a mistake to have the personal-digest-preferences
rank SHA1 ahead of any stronger digest, particularly since SHA1 is
universally implemented.  In effect, using "SHA256 SHA1 SHA384 SHA512
SHA224" for the default personal-digest-preferences would say "never
make any signatures using SHA384, SHA512, or SHA224, even if the
recipient supports these digests".

So yes: i support having these orderings be the same; but i'd rather
that we not list stronger algorithms as lower-rated than the
universally-implemented-but-weakening SHA1.  I'd prefer to have
inconsistent internal defaults than to propagate what i see as a
suboptimal ordering from --default-preference-list into
--personal-digest-preferences.

I'd be even happier to have them both align, and list all the SHA-2
family ahead of SHA-1 (in whatever order).

> I'm not yet convinced a change is necessary here, but if something really needs to change, I would say that a better answer would be to make personal-digest-preferences not default to anything at all.  This would make it match the other personal-XXX-preferences, and allow the recipient keys to specify whatever the like (as is true for ciphers).  If a user chooses to restrict this list further, that's up to them.

That seems like an acceptable decision to me, though i'd prefer
something that more strongly defaults to something stronger than SHA-1.
 i imagine most GnuPG users (were they aware of the choice) would prefer
to make signatures using digests stronger than SHA-1 where acceptable,
even if (for whatever reason) the recipient claims to prefer SHA-1 over
digests from the SHA-2 family.

> (Note that this does not mean that people can request MD5 - MD5 is deprecated, so if the algorithm picking math settles on MD5, and SHA-1 is also available, we'll use SHA-1).

yup, that's good.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101020/00133230/attachment.pgp>


More information about the Gnupg-devel mailing list