Best Practices

David Shaw dshaw at jabberwocky.com
Mon Dec 13 01:27:29 CET 2010


On Dec 12, 2010, at 3:51 PM, Robert J. Hansen wrote:

> On 12/12/2010 3:03 PM, Daniel Kahn Gillmor wrote:
>> what do you mean by "V4 certificate checksums"?
> 
> Read the RFC.  It's in there, and does a better job than I can do of
> explaining it.  Section 5.5.3.

Ah, I also wasn't sure what you were referring to.

The checksum in 5.5.3 is to foil the Klima-Rosa attack (see http://eprint.iacr.org/2002/076 for the whole paper).  Briefly, though, it means that if an attacker can get access to your secret key, they can modify it slightly and then wait for you to issue a signature.  Once they see a signature issued from the modified key, they can reconstruct the secret key.  The passphrase on your secret key does not protect against this.

It's a very interesting attack, though if someone had access to your computer where your secret key lived, there is a whole load of other stuff they could do besides tamper with your secret key and wait for you to issue a signature. :)

The fix in OpenPGP is to hash the contents of the secret key, so any tampering is evident.

>> yeah, this is serious, but it's not embedded in the certificate.  if we
>> were to come up with a new fingerprint format, it would not invalidate
>> any existing certificates -- it would just change how we refer to them.
> 
> I am very skeptical of this claim you seem to be making, that we can
> just upgrade-in-place.

I am also skeptical of this.  I strongly doubt that new fingerprints can be achieved without going to a V5 key format.  There are just too many interoperability gotchas with an upgraded V4.  We might be able to fight our way through them, but therein lies extra complexity and confusion for the implementer and user, which is not what is wanted for a secure system.

V5 has the advantage of cleanliness and simplicity: there is no interoperability.  Which doesn't mean that you couldn't have V4 alongside V5 for a period of time, just as we had V3 alongside V4 for at least a decade.  The WoT would survive this just as it survived the V3->V4 transition.  As V4 ramped up, V3 died out.

David




More information about the Gnupg-users mailing list