On 4/26/2013 12:18 PM, Mason Loring Bliss wrote: > While I agree with what you're saying, the big difference between this > situation and your example is that it's trivially easy for me to say "use > this digest method instead of this other one" and then forget about it.
Sure: but what does it gain you? The answer would seem to be, "on the balance of probabilities, virtually nothing." All the hash algorithms in OpenPGP are mathematically similar. They're all built around Merkle-Damgard constructions. History shows us that when there's a successful attack against one Merkle-Damgard construction, quite often this attack spurs new equivalent attacks against other hashes in the Merkle-Damgard family. This is one of the reasons why so few people recommend RIPEMD-160, for instance: despite the fact that there are no effective attacks against it, the consensus opinion seems to be that RIPEMD-160 is just too similar to SHA-1 and MD5 for there to be real confidence in it. Let me repeat: *all* the hash algorithms in OpenPGP are Merkle-Damgards. So if there's not just a collision attack against SHA-1, but a preimage attack, well... are you really going to have any confidence in your signatures just because you're using SHA-256? I wouldn't. A preimage attack on SHA-1 would tell me the entirety of the Merkle-Damgard family is suspect and I need to stop using them immediately. > Security is about nudging up the bar. Yes: and is what you're talking about really a nudge? Or is it an act that appears to be a nudge, while in reality achieving effectively zero? (Note that I'm not expressing doubt. You're the one who knows your threat model, not me. If you tell me that yes, this is a real nudge up, then that settles the question. I'm only raising a question: I am entirely apathetic as to the answer.) _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
