On 12/9/2010 5:32 PM, Daniel Kahn Gillmor wrote: > Again, can you give an example of such an exploit?
Here is where I get to say either of, "I don't have to," or "pick one," or "you're the one who's positing the attacks." All I'm positing is some future attack that will allow people to abuse a cert in a way you don't like. You're counseling that people move away from SHA-1 *today* based on the fear that somewhere someone has already done chosen-preimage collisions against SHA-1 in a reasonable timeframe. My assumption is quite a lot weaker than yours. > "That is not my certificate. It was revoked (marked as superseded) on > $date. I continue to use the same key material in a different certificate." If the law in your jurisdiction recognizes such and the court has precedent to lean upon, this argument will fly. Speaking just for myself, I have no desire to be the first person to make such an argument. The instant you re-use key material, it opens the door to someone saying, "Your Honor, the existing precedent doesn't apply. He's still using the same certificate!" And now you're depending on a judge having better technical acumen than many of the people on this mailing list. Ultimately, it will reduce to a battle of the dueling expert opinions. > And if addressing a hopelessly legally-minded audience in the USA, you > could add: "of course i didn't make that signature; it uses > $deprecated_algorithm, which i haven't used since NIST deprecated it > back in 2010." "You made it with that signature because you wanted to be able to repudiate it later. You're trying to deceive the Court." On the one hand, what you say is perfectly reasonable. On the other hand, so is what I say. >> Remember, in the eyes of the U.S. federal >> court system, MD5 is considered a strong hash with no known attacks >> against it. > > Could you cite a reference for this? _Sanders v. State_, 191 S.W.3d 272 (Tex. App. - Waco 2006) (cert. denied 549 U.S. 1167, 127 S.Ct. 1141, 166 L.Ed.2d 893)(2007) _State v. Morris_, 2005 WL 356801 (Ohio App. 9 Dist. Feb 16, 2005). _State v. Cook_, 777 N.E.2d 882, 886 (Ohio App. 2002), including the money quote "In the present case, there is no doubt that the mirror image was an authentic copy of what was present on the computer's hard drive" -- the hard drive was imaged using EnCase, and MD5 was used to ensure the accuracy of the data. Also, check the Federal Rules of Evidence. You may also want to read _Daubert v. Merrell Dow Pharmaceuticals_. > There are lots of attacks that can be used against a clueless judiciary, Yes. Which is why we don't create more of them without good cause. There's a difference between saying, "we have to play Russian Roulette," and, "let's put another few rounds in the cylinder first." > Except that you've now broken entirely with the past, which is itself a > human factor. Smooth migration, phased upgrades, and planned > transitions are all good things from a human factors perspective. If your migration path can't accommodate a planned, scheduled change of key material, it is quite likely you're doing it wrong.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
