Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: devel

Re: un-trusting MD5 in gpg

  

 
GnuPG devel RSS feed   Index | Next | Previous | View Threaded


wk at gnupg

May 4, 2009, 1:09 AM

Post #1 of 23 (1754 views)
Permalink
Re: un-trusting MD5 in gpg
On Mon, 4 May 2009 04:44, dshaw [at] jabberwocky said:

> + if(sig->digest_algo==DIGEST_ALGO_MD5)
> + return G10ERR_BAD_SIGN;

I don't think that this is helpful. It catches one common case but does
not catch all the other cases where a signature is used for a malicious
purpose. There are many other ways of doing so, for example leaking
ones own key. A signature is a statement of the signer about something
he believes. We can't force him to believe the Right Thing.

Thus giving back an error code of "Bad signature" is wrong. It is a
good signature because the signer intended exactly that. The question
is how you evaluate such a signature. This is a matter of trust and
hard to put in code for a general purpose application, like gpg.

What can be done is to print a warning (already on our task list) and to
implement an option to ignore signatures done with digest algorithm foo
(similar to --disable-cipher-also)


Shalom-Salam,

Werner


--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


dshaw at jabberwocky

May 4, 2009, 4:16 AM

Post #2 of 23 (1714 views)
Permalink
Re: un-trusting MD5 in gpg [In reply to]
On May 4, 2009, at 4:09 AM, Werner Koch wrote:

> On Mon, 4 May 2009 04:44, dshaw [at] jabberwocky said:
>
>> + if(sig->digest_algo==DIGEST_ALGO_MD5)
>> + return G10ERR_BAD_SIGN;
>
> I don't think that this is helpful. It catches one common case but
> does
> not catch all the other cases where a signature is used for a
> malicious
> purpose. There are many other ways of doing so, for example leaking
> ones own key. A signature is a statement of the signer about
> something
> he believes. We can't force him to believe the Right Thing.

Certainly not. That code is just a hack for Daniel Gillmor to see how
feasible it is in practice to run without MD5. It is not at all a
rigorous solution to the problem. It's also not at all something
appropriate to include in GPG without quite a bit of other work (it
breaks half the selftests, causes --print-mds to hit a BUG() case, etc).

David

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


wk at gnupg

May 4, 2009, 5:53 AM

Post #3 of 23 (1713 views)
Permalink
Re: un-trusting MD5 in gpg [In reply to]
On Mon, 4 May 2009 13:16, dshaw [at] jabberwocky said:

> Certainly not. That code is just a hack for Daniel Gillmor to see how
> feasible it is in practice to run without MD5. It is not at all a

Alright. I just wanted to make sure that nobody takes this as a
development plan.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


dkg at fifthhorseman

May 4, 2009, 7:17 AM

Post #4 of 23 (1716 views)
Permalink
Re: un-trusting MD5 in gpg [In reply to]
I'll give David's patch a try shortly, just to see how much of my
OpenPGP-related workflow breaks. I'll report back here with anything
interesting that i find.

Wouldn't it make more sense to return G10ERR_DIGEST_ALGO instead of
G10ERR_BAD_SIGN, though? libgpg-error suggests that it means "Invalid
Digest Algorithm". Any reason i shouldn't do that instead?

On 05/04/2009 04:09 AM, Werner Koch wrote:
> What can be done is to print a warning (already on our task list) and to
> implement an option to ignore signatures done with digest algorithm foo
> (similar to --disable-cipher-also)

Yes, something like --disable-digest-algo is the direction i think gpg
should be heading.

--dkg
Attachments: signature.asc (0.87 KB)


dshaw at jabberwocky

May 4, 2009, 7:46 AM

Post #5 of 23 (1714 views)
Permalink
Re: un-trusting MD5 in gpg [In reply to]
On May 4, 2009, at 10:17 AM, Daniel Kahn Gillmor wrote:

> I'll give David's patch a try shortly, just to see how much of my
> OpenPGP-related workflow breaks. I'll report back here with anything
> interesting that i find.
>
> Wouldn't it make more sense to return G10ERR_DIGEST_ALGO instead of
> G10ERR_BAD_SIGN, though? libgpg-error suggests that it means "Invalid
> Digest Algorithm". Any reason i shouldn't do that instead?

Either one is fine for the purpose of this test. The goal is just to
temporarily break MD5 to see what happens. Almost any return code
will do that.

> On 05/04/2009 04:09 AM, Werner Koch wrote:
>> What can be done is to print a warning (already on our task list)
>> and to
>> implement an option to ignore signatures done with digest algorithm
>> foo
>> (similar to --disable-cipher-also)
>
> Yes, something like --disable-digest-algo is the direction i think gpg
> should be heading.

--disable-digest-algo, if implemented the same way as --disable-cipher-
algo, implies that the hash won't exist at all for that run. That
means it won't be present even for things like --print-md. Is that
the intention here? I'm not against it, but I recall seeing a few
people using "gpg --print-md md5" as an alternative to "md5sum". We
might want to do something more surgical and just block MD5
verification for the OpenPGP operations (though completely removing
the hash has the appeal of simplicity).

David


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


wk at gnupg

May 4, 2009, 10:41 AM

Post #6 of 23 (1713 views)
Permalink
Re: un-trusting MD5 in gpg [In reply to]
On Mon, 4 May 2009 16:46, dshaw [at] jabberwocky said:

> might want to do something more surgical and just block MD5
> verification for the OpenPGP operations (though completely removing
> the hash has the appeal of simplicity).

In fact if you run GPG-2 with libgcrypt in Enforced FIPS mode, this is
already the case. The drawback is that you won't have Elganmal either.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


dkg at fifthhorseman

May 4, 2009, 8:26 PM

Post #7 of 23 (1710 views)
Permalink
Re: un-trusting MD5 in gpg [In reply to]
On 05/04/2009 10:46 AM, David Shaw wrote:
> Either one is fine for the purpose of this test. The goal is just to
> temporarily break MD5 to see what happens. Almost any return code will
> do that.

OK, i'll make that change.

> --disable-digest-algo, if implemented the same way as
> --disable-cipher-algo, implies that the hash won't exist at all for that
> run. That means it won't be present even for things like --print-md.
> Is that the intention here?

Hrm. i've been considering Daniel Nagy's recent observation on
ietf-openpgp [0] that some uses of a digest algorithm within OpenPGP
(self-signatures, in particular) actually only rely on hash function
one-wayness, not collision-resistance.

It could be useful (though quite possibly "too configurable") to be able
to reject the use of a given digest under circumstances where
collision-resistance is needed (data signatures and non-self
certifications, for example), while permitting it under circumstances
where only one-wayness is needed (self-signatures). I have no idea how
to communicate this idea in anything resembling a sane UI or
configuration file that would be intelligible to normal users, though.

--dkg

[0] http://www.imc.org/ietf-openpgp/mail-archive/msg33252.html
Attachments: signature.asc (0.87 KB)


dkg at fifthhorseman

May 6, 2009, 1:04 PM

Post #8 of 23 (1699 views)
Permalink
Re: un-trusting MD5 in gpg [In reply to]
On 05/06/2009 03:42 PM, David Shaw wrote:
> I like this basic idea (though don't like the name "weak" for reasons I
> mentioned earlier). The analogy to personal-digest-preferences is a
> good one: this is the personal-digest-anti-preferences. Instead of the
> algorithms the user likes and wants to use when possible, these are the
> algorithms the user dislikes and won't accept.

--unacceptable-digest-algos maybe? Your point about "weak" is a good
one, i think. i was unaware that WEAK_KEY had a specific technical meaning.

Or what if we framed the option the other way: --acceptable-digest-algos
(and it would default to the full set)?

> We can't really do that because the meaning of personal-xxx-prefs is "I
> like these best", not "I will only accept these". People tend to do
> stuff like "personal-digest-prefs sha256" to favor sha-256, which would
> immediately lock out every other hash.

yeah, that's what i meant by "modifies the semantics of --p-d-p" that'd
be a Bad Thing. I just wanted to raise the idea, though. If we were
designing gpg from scratch today with no installed userbase, i'd push
hard to have it work like this, just for the sake of minimizing the
configuration space and presenting a simpler interface. Having the two
options allows for some weird (and unnecessary) configurations, like:

--unacceptable-digest-algos MD5 --personal-digest-preferences MD5

wherein you would only make signatures that you would never believe were
valid. The answer of course, is Don't Do This, but it's unfortunate to
give the user that much rope.

--dkg
Attachments: signature.asc (0.87 KB)


dshaw at jabberwocky

May 6, 2009, 1:23 PM

Post #9 of 23 (1698 views)
Permalink
Re: un-trusting MD5 in gpg [In reply to]
On May 6, 2009, at 4:04 PM, Daniel Kahn Gillmor wrote:

> On 05/06/2009 03:42 PM, David Shaw wrote:
>> I like this basic idea (though don't like the name "weak" for
>> reasons I
>> mentioned earlier). The analogy to personal-digest-preferences is a
>> good one: this is the personal-digest-anti-preferences. Instead of
>> the
>> algorithms the user likes and wants to use when possible, these are
>> the
>> algorithms the user dislikes and won't accept.
>
> --unacceptable-digest-algos maybe? Your point about "weak" is a good
> one, i think. i was unaware that WEAK_KEY had a specific technical
> meaning.

Maybe we should name it personal-digest-something. It makes it clear
that these are personal settings, pertain to digests, and that this is
sort of a parallel function to personal-digest-preferences. What are
the antonyms of preferences? personal-digest-dislikes? personal-
digest-rejections? personal-digest-disable?

> Having the two
> options allows for some weird (and unnecessary) configurations, like:
>
> --unacceptable-digest-algos MD5 --personal-digest-preferences MD5
>
> wherein you would only make signatures that you would never believe
> were
> valid. The answer of course, is Don't Do This, but it's unfortunate
> to
> give the user that much rope.

Hashes are a bit easier, but you can imagine some real problems with a
list of unacceptable ciphers. Let's say that we had a user who set
"personal-cipher-donotaccept 3des". What could this user do when
encrypting to a bunch of recipients whose ciphers do not intersect on
anything other than 3des? I guess the best thing to do would be to
simply error out.

David


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


tmz at pobox

May 6, 2009, 1:30 PM

Post #10 of 23 (1698 views)
Permalink
Re: un-trusting MD5 in gpg [In reply to]
David Shaw wrote:
> Maybe we should name it personal-digest-something. It makes it
> clear that these are personal settings, pertain to digests, and that
> this is sort of a parallel function to personal-digest-preferences.
> What are the antonyms of preferences? personal-digest-dislikes?
> personal-digest-rejections? personal-digest-disable?

Something like personal-digest-excludes, p-d-exclusions, or
p-d-exceptions come to my mind.

--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If at first you don't succeed, failure may be your style.
-- Demotivators (www.despair.com)


dkg at fifthhorseman

May 6, 2009, 1:46 PM

Post #11 of 23 (1700 views)
Permalink
Re: un-trusting MD5 in gpg [In reply to]
On 05/06/2009 04:23 PM, David Shaw wrote:
> Maybe we should name it personal-digest-something. It makes it clear
> that these are personal settings, pertain to digests, and that this is
> sort of a parallel function to personal-digest-preferences. What are
> the antonyms of preferences? personal-digest-dislikes?
> personal-digest-rejections? personal-digest-disable?

I'm not so sure. as currently defined, personal-digest-preferences
apply mainly in situations where you are the only person whose
preferences can be taken into account (clearsigning a public document,
for example) -- there are no recipients to consider, and you are
creating the digest yourself. This seems to be what makes them "personal".

But instead, we're talking about not *accepting* a particular digest
from someone else (or from yourself at an earlier time). Should this
blacklist we're creating also govern digests that we sign over? if we
say --personal-digest-blacklist, does that mean both that we will never
*generate* signatures over the given hash and that we will not accept
signatures over the given hash?

> Hashes are a bit easier, but you can imagine some real problems with a
> list of unacceptable ciphers. Let's say that we had a user who set
> "personal-cipher-donotaccept 3des". What could this user do when
> encrypting to a bunch of recipients whose ciphers do not intersect on
> anything other than 3des? I guess the best thing to do would be to
> simply error out.

There is always going to be a problem if the sets of user preferences
have no intersection, and this covers digests as well as ciphers.

Consider the case where alice [at] example indicates digest preferences
in her public self-sig that she only accepts signatures over MD5 and
SHA1 hashes, but bob [at] example decides that SHA1 and MD5 are
unacceptably compromised and he'll never issue signatures over them for
fear that his signature will be transferred to another message. bob
simply cannot send signed messages to alice in that case. And yes, gpg
should probably error out (or recommend refreshing the recipient's keys,
etc) if bob says "sign this message which is going to alice"

4880 mandates that all compliant tools must be *capable* of using SHA1,
but it can't compel all humans using the tools to happily generate
signatures over that (or any other) algorithm. With flexible cipher
suites and tools which adequately represent their users intent, it seems
likely that there will always exist some intersection of a user with a
pathologically archaic toolset and a user with pathologically
bleeding-edge demands. The tools need to be able to fail gracefully
when they recognize that such an intersection exists.

--dkg
Attachments: signature.asc (0.87 KB)


rjh at sixdemonbag

May 6, 2009, 2:31 PM

Post #12 of 23 (1698 views)
Permalink
Re: un-trusting MD5 in gpg [In reply to]
Todd Zullinger wrote:
> Something like personal-digest-excludes, p-d-exclusions, or
> p-d-exceptions come to my mind.

personal-digest-refuse MD5




_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


dshaw at jabberwocky

May 6, 2009, 3:04 PM

Post #13 of 23 (1695 views)
Permalink
Re: un-trusting MD5 in gpg [In reply to]
On May 6, 2009, at 4:46 PM, Daniel Kahn Gillmor wrote:

> On 05/06/2009 04:23 PM, David Shaw wrote:
>> Maybe we should name it personal-digest-something. It makes it clear
>> that these are personal settings, pertain to digests, and that this
>> is
>> sort of a parallel function to personal-digest-preferences. What are
>> the antonyms of preferences? personal-digest-dislikes?
>> personal-digest-rejections? personal-digest-disable?
>
> I'm not so sure. as currently defined, personal-digest-preferences
> apply mainly in situations where you are the only person whose
> preferences can be taken into account (clearsigning a public document,
> for example) -- there are no recipients to consider, and you are
> creating the digest yourself. This seems to be what makes them
> "personal".

p-d-p is used during all signing operations whether there are
recipients or not. The clearsign case has no recipients, but an
encrypt+sign does. Say Alice was signing a document and encrypting it
to Baker and Charlie. The cipher is chosen by taking the union of
Baker and Charlie's cipher preferences and then using Alice's personal-
cipher-preferences to pick Alice's favorite choice from the union.
The digest is chosen in the same way: take the union of Baker and
Charlie's preferences, and then use Alice's personal-digest-
preferences to pick Alice's favorite choice from the union. The only
thing that is special about picking digests is that some results are
impossible and are automatically discarded. Let's say Alice had a
3072-bit DSA key. The answer thus has to be SHA256, SHA384, or
SHA512. If the preferences cannot agree on one of these, then it is
forced.

Either way, though, Baker and Charlie's preferences are consulted first.

> But instead, we're talking about not *accepting* a particular digest
> from someone else (or from yourself at an earlier time). Should this
> blacklist we're creating also govern digests that we sign over? if we
> say --personal-digest-blacklist, does that mean both that we will
> never
> *generate* signatures over the given hash and that we will not accept
> signatures over the given hash?

Blacklist is pretty good. We could call it "blacklist-digests" (which
gives us a name for "blacklist-ciphers" later). It's reasonably clear
just from the name.

In terms of whether blacklist-digests only rejects incoming signatures
or both rejects incoming signatures and refuses to generate a
signature as well, I could make a reasonable argument for either side,
but I think I lean more towards doing both - rejecting incoming and
not generating outgoing. It would be a strange sort of thing if user
disliked an algorithm so much that he refused to accept it from
somewhere else, but yet still generated it himself.

> With flexible cipher
> suites and tools which adequately represent their users intent, it
> seems
> likely that there will always exist some intersection of a user with a
> pathologically archaic toolset and a user with pathologically
> bleeding-edge demands. The tools need to be able to fail gracefully
> when they recognize that such an intersection exists.

Up until today, we have relied on the must-implement algorithms to get
us out of a conflict like this. This will be a new, and surprising,
behavior for GPG. It will need to be off by default.

David


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


dkg at fifthhorseman

May 6, 2009, 3:17 PM

Post #14 of 23 (1698 views)
Permalink
Re: un-trusting MD5 in gpg [In reply to]
On 05/06/2009 06:04 PM, David Shaw wrote:
> The cipher is chosen by taking the union of Baker and
> Charlie's cipher preferences and then using Alice's
> personal-cipher-preferences to pick Alice's favorite choice from the
> union.

Is it really the union and not the intersection? It seems that choosing
from the union could leave either Baker or Charlie with an unacceptable
choice.

> Blacklist is pretty good. We could call it "blacklist-digests" (which
> gives us a name for "blacklist-ciphers" later). It's reasonably clear
> just from the name.

works for me.

> In terms of whether blacklist-digests only rejects incoming signatures
> or both rejects incoming signatures and refuses to generate a signature
> as well, I could make a reasonable argument for either side, but I think
> I lean more towards doing both - rejecting incoming and not generating
> outgoing. It would be a strange sort of thing if user disliked an
> algorithm so much that he refused to accept it from somewhere else, but
> yet still generated it himself.

i lean the same way myself, toward having it cover both directions.

> Up until today, we have relied on the must-implement algorithms to get
> us out of a conflict like this. This will be a new, and surprising,
> behavior for GPG. It will need to be off by default.

"off by default" just means the "must-implement algorithms" are not
included in the blacklist by default, right? or do you envision some
additional switch needed in order to say "yes, i really want to put the
must-implement algorithm in the blacklist"?

--dkg
Attachments: signature.asc (0.87 KB)


dshaw at jabberwocky

May 6, 2009, 4:16 PM

Post #15 of 23 (1698 views)
Permalink
Re: un-trusting MD5 in gpg [In reply to]
On May 6, 2009, at 6:17 PM, Daniel Kahn Gillmor wrote:

> On 05/06/2009 06:04 PM, David Shaw wrote:
>> The cipher is chosen by taking the union of Baker and
>> Charlie's cipher preferences and then using Alice's
>> personal-cipher-preferences to pick Alice's favorite choice from the
>> union.
>
> Is it really the union and not the intersection? It seems that
> choosing
> from the union could leave either Baker or Charlie with an
> unacceptable
> choice.

Oops, yes, intersection! Fingers not behaving today.

>> Up until today, we have relied on the must-implement algorithms to
>> get
>> us out of a conflict like this. This will be a new, and surprising,
>> behavior for GPG. It will need to be off by default.
>
> "off by default" just means the "must-implement algorithms" are not
> included in the blacklist by default, right? or do you envision some
> additional switch needed in order to say "yes, i really want to put
> the
> must-implement algorithm in the blacklist"?

Off by default just means that the blacklist is empty by default. If
a user wants to blacklist something, whether that something is
optional or must-implement, they need to explicitly put it in there.

David


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


wk at gnupg

May 7, 2009, 1:53 AM

Post #16 of 23 (1699 views)
Permalink
Re: un-trusting MD5 in gpg [In reply to]
On Wed, 6 May 2009 21:31, dshaw [at] jabberwocky said:

> GPG_ERR_DISABLED_CIPHER_ALGO. Calling it "weak" is a value judgement
> (i.e. weaker than what? too weak for what?) The WEAK_KEY message is

Right. I came to the same conclusion this morning.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


wk at gnupg

May 7, 2009, 1:57 AM

Post #17 of 23 (1697 views)
Permalink
Re: un-trusting MD5 in gpg [In reply to]
On Thu, 7 May 2009 00:04, dshaw [at] jabberwocky said:

> Blacklist is pretty good. We could call it "blacklist-digests" (which
> gives us a name for "blacklist-ciphers" later). It's reasonably clear
> just from the name.

I agree. That term is different from disabled and may be used with
different semantics in other tools.

I would prefer

--blacklist-digest-algo NAME_or_NUMBER

The reason is that we do not need a specific order as with
personal-digest-preferences. It makes implementation (cf. gpgconf)
easier and better matches other options related to algorithms.


Salam-Shalom,

Werner


--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


dkg at fifthhorseman

May 7, 2009, 7:40 AM

Post #18 of 23 (1698 views)
Permalink
Re: un-trusting MD5 in gpg [In reply to]
On 05/07/2009 04:53 AM, Werner Koch wrote:
> On Wed, 6 May 2009 21:31, dshaw [at] jabberwocky said:
>
>> GPG_ERR_DISABLED_CIPHER_ALGO. Calling it "weak" is a value judgement
>> (i.e. weaker than what? too weak for what?) The WEAK_KEY message is
>
> Right. I came to the same conclusion this morning.

Y'all have convinced me that "weak" is a bad term here now. Maybe gpg
should use an error term that points to the option in question?

What about GPG_ERR_BLACKLISTED_DIGEST_ALGO ?

--dkg
Attachments: signature.asc (0.87 KB)


dshaw at jabberwocky

May 7, 2009, 8:34 AM

Post #19 of 23 (1692 views)
Permalink
Re: un-trusting MD5 in gpg [In reply to]
On May 7, 2009, at 4:57 AM, Werner Koch wrote:

> On Thu, 7 May 2009 00:04, dshaw [at] jabberwocky said:
>
>> Blacklist is pretty good. We could call it "blacklist-
>> digests" (which
>> gives us a name for "blacklist-ciphers" later). It's reasonably
>> clear
>> just from the name.
>
> I agree. That term is different from disabled and may be used with
> different semantics in other tools.
>
> I would prefer
>
> --blacklist-digest-algo NAME_or_NUMBER
>
> The reason is that we do not need a specific order as with
> personal-digest-preferences. It makes implementation (cf. gpgconf)
> easier and better matches other options related to algorithms.

Sounds good to me. So, thus far, the plan sounds like:

--blacklist-digest-algo (name or number)
--no-blacklist-digest-algo (name or number)

Repeating the blacklist-digest-algo option can be done to add more
than one algorithm to the blacklist. no-blacklist-digest-algo can be
used to remove something from the list. Whoever gets in last (add to
the list or remove from the list) wins.

A blacklisted digest will cause signature verification to fail with an
appropriate error message along the lines of "digest algorithm is
blacklisted" (internally, GPG_ERR_BLACKLISTED_DIGEST or the like).

A key certification created with a blacklisted digest will not be part
of the web of trust.

A blacklisted digest will also not be usable when creating a signature/
certification, with the same sort of error returned.

This does not affect the use of the digest in things like --print-md.

gpg --version will flag blacklisted algorithms by putting them in
[brackets].

David


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


wk at gnupg

May 7, 2009, 9:41 AM

Post #20 of 23 (1695 views)
Permalink
Re: un-trusting MD5 in gpg [In reply to]
On Thu, 7 May 2009 17:34, dshaw [at] jabberwocky said:
> --blacklist-digest-algo (name or number)
> --no-blacklist-digest-algo (name or number)
>
> Repeating the blacklist-digest-algo option can be done to add more
> than one algorithm to the blacklist. no-blacklist-digest-algo can be
> used to remove something from the list. Whoever gets in last (add to
> the list or remove from the list) wins.

Okay.

> A blacklisted digest will cause signature verification to fail with an
> appropriate error message along the lines of "digest algorithm is
> blacklisted" (internally, GPG_ERR_BLACKLISTED_DIGEST or the like).

The name of the erro code is too specific. GPG_ERR_DISABLED_DIGEST is
better; if you like the error message may say "...disabled or blacklisted".

> A key certification created with a blacklisted digest will not be part
> of the web of trust.
>
> A blacklisted digest will also not be usable when creating a signature/
> certification, with the same sort of error returned.
>
> This does not affect the use of the digest in things like --print-md.

Okay.

> gpg --version will flag blacklisted algorithms by putting them in
> [brackets].

Not okay, see my other mail.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


dkg at fifthhorseman

May 7, 2009, 10:14 AM

Post #21 of 23 (1692 views)
Permalink
Re: un-trusting MD5 in gpg [In reply to]
On 05/07/2009 12:41 PM, Werner Koch wrote:
> On Thu, 7 May 2009 17:34, dshaw [at] jabberwocky said:
>> A blacklisted digest will cause signature verification to fail with an
>> appropriate error message along the lines of "digest algorithm is
>> blacklisted" (internally, GPG_ERR_BLACKLISTED_DIGEST or the like).
>
> The name of the erro code is too specific. GPG_ERR_DISABLED_DIGEST is
> better; if you like the error message may say "...disabled or blacklisted".

Can you explain what the problem is with having a more-specific error
code? We're talking about introducing new semantics in gpg already.
Why not have an error code that specifically refers to those semantics?

--dkg
Attachments: signature.asc (0.87 KB)


jmoore3rd at bellsouth

May 7, 2009, 10:15 AM

Post #22 of 23 (1692 views)
Permalink
Re: un-trusting MD5 in gpg [In reply to]
Werner Koch wrote:

> The name of the erro code is too specific. GPG_ERR_DISABLED_DIGEST is
> better; if you like the error message may say "...disabled or blacklisted".

I am very interested in these discussions but they have brought to mind
a Question:

How many instances of --verbose will need to be called for the
'blacklisted' messages to usefully appear? 1, 2 or all 3?

I bring this up specifically because in the Past I discovered that
calling 3 instances of --verbose for maximum 'information' can cause the
View Photo ID option within Enigmail to fail. Certainly not the end of
the World but one of the 'rabbit trails' My mind constantly considers.

JOHN :-D
Timestamp: Thursday 07 May 2009, 13:15 --400 (Eastern Daylight Time)
Attachments: signature.asc (0.64 KB)


wk at gnupg

May 7, 2009, 10:36 AM

Post #23 of 23 (1695 views)
Permalink
Re: un-trusting MD5 in gpg [In reply to]
On Thu, 7 May 2009 19:14, dkg [at] fifthhorseman said:

> Can you explain what the problem is with having a more-specific error
> code? We're talking about introducing new semantics in gpg already.
> Why not have an error code that specifically refers to those semantics?

There are already too many different error codes out of histroical
reasons. Over the time I learned that many orf them are not very
usefule, whereas others are too broad. These error codes are not only
for displaying someting to a user but mainly used as a small-bandwidth
notification system. GnuPG acts on certain error codes and I can't see
how it should behave different on a disabled and a blacklisted also. In
fact I am not sure whether we need them at all, we can display a custom
message to the user (or via --status-fd) and internally use the error
code for unknown algorithm.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

GnuPG devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.