Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: users

kernel.org status: establishing a PGP web of trust

 

 

GnuPG users RSS feed   Index | Next | Previous | View Threaded


marcio.barbado at gmail

Sep 30, 2011, 5:57 PM

Post #1 of 10 (631 views)
Permalink
kernel.org status: establishing a PGP web of trust

http://lwn.net/Articles/461236/



Marcio Barbado, Jr.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


rjh at sixdemonbag

Sep 30, 2011, 7:11 PM

Post #2 of 10 (627 views)
Permalink
Re: kernel.org status: establishing a PGP web of trust [In reply to]

On 9/30/2011 8:57 PM, Marcio B. Jr. wrote:
> http://lwn.net/Articles/461236/

Before people panic, there are no known weaknesses in DSA. The SHA-1
hash algorithm has some severe problems, but there's nothing in DSA that
requires the use of SHA-1: you can replace it with any 160-bit hash.

Let's not panic, and let's not migrate away from DSA without good
reason. :) Migrate away from SHA-1, sure, but DSA is fine.


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


aaron.toponce at gmail

Oct 1, 2011, 5:57 AM

Post #3 of 10 (623 views)
Permalink
Re: kernel.org status: establishing a PGP web of trust [In reply to]

On 09/30/2011 08:11 PM, Robert J. Hansen wrote:
> On 9/30/2011 8:57 PM, Marcio B. Jr. wrote:
>> http://lwn.net/Articles/461236/
>
> Before people panic, there are no known weaknesses in DSA.

I agree, people should not panic. But, people should be aware of the
"random k" in DSA signatures:

http://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/

Sony fell victim to this very problem with their PS3, because they
failed to sufficiently randomize "k".

If your RNG sucks (not something GNU/Linux users need to worry about if
/dev/random is used), then DSA should not be considered. Thus, the
recommendation to use RSA instead, as it doesn't suffer from this.

--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
Attachments: signature.asc (0.58 KB)


aaron.toponce at gmail

Oct 1, 2011, 6:01 AM

Post #4 of 10 (619 views)
Permalink
Re: kernel.org status: establishing a PGP web of trust [In reply to]

On 10/01/2011 06:57 AM, Aaron Toponce wrote:
> http://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/

Here's another good link:

https://secure.wikimedia.org/wikipedia/en/wiki/Digital_Signature_Algorithm#Sensitivity

Having a sufficient amount of paranoia, would keep you from using DSA, I
would think.

--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
Attachments: signature.asc (0.58 KB)


sandals at crustytoothpaste

Oct 1, 2011, 9:51 AM

Post #5 of 10 (619 views)
Permalink
Re: kernel.org status: establishing a PGP web of trust [In reply to]

On Sat, Oct 01, 2011 at 07:01:14AM -0600, Aaron Toponce wrote:
> Having a sufficient amount of paranoia, would keep you from using DSA, I
> would think.

I have an RSA key with RSA subkeys, but now that larger DSA keys are
generally available, I'd be okay with revolving DSA signing subkeys. As
you've pointed out, DSA has the disadvantage that k must always be
different, but it also has advantages, one of them being that p, q, and
g can be shared among a group of people such that p and q can be
*proven* to be prime and generated in a reproducible way. Another one
is that DSA signatures are smaller: there are two MPIs stored for each
signature, but those MPIs are at most 256 bits long each, while for an
RSA signature that was only 512 bits long, the security would be
woefully inadequate.

Point being, both DSA and RSA have their good and bad points, and if
you're fairly confident that you have a good PRNG, such as /dev/urandom,
then there's not really much concern about k. After all, you also need
a good PRNG for CFB IVs as well, although the consequences aren't as
disastrous.

--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Attachments: signature.asc (0.82 KB)


peter at digitalbrains

Oct 1, 2011, 11:45 AM

Post #6 of 10 (617 views)
Permalink
Re: kernel.org status: establishing a PGP web of trust [In reply to]

On 01/10/11 18:51, brian m. carlson wrote:
> Point being, both DSA and RSA have their good and bad points, and if
> you're fairly confident that you have a good PRNG, such as /dev/urandom,
> then there's not really much concern about k. After all, you also need
> a good PRNG for CFB IVs as well, although the consequences aren't as
> disastrous.

But you need a good PRNG for generating the session key, which is a lot more
important than the CFB IV.

But when it comes to signing stuff, not encryption, I suppose you can indeed use
RSA without a good PRNG.

The Debian OpenSSL debacle, however, rendered every DSA key *used* on such a
system useless, whereas RSA was only compromised when the key was *generated* on
such a box.

Personally, I see it as an advantage of RSA that using it with a poor PRNG
doesn't disclose your private key, but it wouldn't stop me from using ECDSA when
it is mainstream. Your PRNG simply shouldn't be bad when you do crypto.
Obviously software bugs can always happen, and in the specific Debian OpenSSL
instance it was worse for DSA, but the next big bug might by chance hurt RSA and
leave DSA in the clear.

And we have DSA to thank for the fun of Sony's silly mistake! :)

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


rjh at sixdemonbag

Oct 1, 2011, 1:46 PM

Post #7 of 10 (622 views)
Permalink
Re: kernel.org status: establishing a PGP web of trust [In reply to]

On 10/1/2011 9:01 AM, Aaron Toponce wrote:
> https://secure.wikimedia.org/wikipedia/en/wiki/Digital_Signature_Algorithm#Sensitivity

This is an argument against having a *bad* DSA implementation, in the
exact same way you shouldn't use a bad RSA implementation, either. RSA
has just as many warnings -- take a look at how many times PKCS has been
updated to reflect new understandings of RSA's risks.

> Having a sufficient amount of paranoia, would keep you from using DSA, I
> would think.

That's the same level of paranoia that led to Kurt Goedel starving to
death because he was afraid of how everyone around him was trying to
poison him. I don't think we should recommend that level of paranoia.


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


aaron.toponce at gmail

Oct 1, 2011, 3:58 PM

Post #8 of 10 (621 views)
Permalink
Re: kernel.org status: establishing a PGP web of trust [In reply to]

On 10/01/2011 02:46 PM, Robert J. Hansen wrote:
> That's the same level of paranoia that led to Kurt Goedel starving to
> death because he was afraid of how everyone around him was trying to
> poison him. I don't think we should recommend that level of paranoia.

That's not a healthy dose of paranoia. A healthy dose of paranoia in
that case would be washing your hands before you eat, or not eating
something off the floor. Starving yourself, because you think people are
tying to poison you is not healthy.

--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
Attachments: signature.asc (0.58 KB)


jerome+person at jeromebaum

Oct 2, 2011, 7:53 PM

Post #9 of 10 (616 views)
Permalink
Re: kernel.org status: establishing a PGP web of trust [In reply to]

On 2011-10-02 00:58, Aaron Toponce wrote:
> On 10/01/2011 02:46 PM, Robert J. Hansen wrote:
> That's not a healthy dose of paranoia. A healthy dose of paranoia in
> that case would be washing your hands before you eat, or not eating
> something off the floor. Starving yourself, because you think people are
> tying to poison you is not healthy.

"When his wife was hospitalized, Gödel literally starved himself to
death, unwilling to eat anything not prepared by her."
(http://www.webcitation.org/629GhJ129)

What I don't get is, why didn't he just make his own food?

--
Q: What is your secret word?
A: That's right.
Q: What's right?
A: Yes.
Q: Sir, you're going to have to tell me your secret word.
A: What?
Q: I said please tell me your secret word.
A: What?
Q: What's your secret word?
A: Yes.
Q: Sorry, "yes" is not your secret word. You have two more chances.
A: I said what?
Q: Yes.
A: Right, so you admit I said it.
Q: No, you said "yes."
A: No, "what!"
Q: When?
A: When you asked for my secret word!
Q: What?
A: Yes!
Q: I'm sorry, that's incorrect. You have one more chance to say your
secret word.
A: I'd like to speak to your supervisor.
Q: Very well, I'll transfer you. His name is Hu.

(http://boingboing.net/2010/05/03/fun-with-a-banks-sec.html)

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


rjh at sixdemonbag

Oct 3, 2011, 3:12 AM

Post #10 of 10 (622 views)
Permalink
Re: kernel.org status: establishing a PGP web of trust [In reply to]

On 10/2/2011 10:53 PM, Jerome Baum wrote:
> What I don't get is, why didn't he just make his own food?

He did, until he ran out of food. Then he was literally too paranoid to
leave the house to buy groceries.

Clinical paranoia is a brutal mental illness.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.