Crypographically Strong Software Distribution HOWTO

V. Alex Brennen vab at cryptnet.net
Tue Jul 3 15:11:11 EDT 2001 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 3 Jul 2001, Ben Laurie wrote:

> > I think it would be good to see the Apache Project make a
> > policy as to request (require) the signature of releases
> > by the individual responsible for the release.  It would
> > also be good to ask apache core members to generate new
> > version 4 openPGP keys to replace older keys and continue
> > to build the excellent web of trust that the group has
> > established. The October ApacheCon in Europe would be an
> > excellent time to integrate new version 4 keys into the
> > Apache web of trust.
>
> I'm not sure I understand the significance of this request - why are
> version 4 keys better?

Let me speak to version 3 PGP keys (version 2 keys are obvious
afterwards).

Version 3 keys create key fingerprints with MD5 which results in
only a 32 byte hash as opposed to the 40 byte fingerprint produced
by the use of SHA1 hash in openPGP version 4.  In openPGP version 4,
the keyid is the low 8 bytes of the SHA1 hash/fingerprint and the
full keyid is the low 16 bytes of the hash/fingerprint.  In
version 3, there is no full keyid (16 byte ID) and the 8 bytes
of the keyid are independent of the key fingerprint (It is the
low 64bits of the public modulus of the RSA key).  The use of
MD5, and the failure to hash the full key material to generate
the keyid makes version 3 keys significantly weaker (key id and
fingerprint collisions, key content modifications) than version
4 keys.  (Keep in mind that most PGP programs retrieve PGP keys
from the keyservers, and specify keys in program operation, by
the 8 byte keyid.)

A quote from RFC2440 on Version 3 Keys:

"V3 keys SHOULD only be used for backward compatibility because of
three weaknesses in them. First, it is relatively easy to construct a
V3 key that has the same key ID as any other key because the key ID
is simply the low 64 bits of the public modulus. Secondly, because
the fingerprint of a V3 key hashes the key material, but not its
length, which increases the opportunity for fingerprint collisions.
Third, there are minor weaknesses in the MD5 hash algorithm that make
developers prefer other algorithms."

So, everyone should generate all new keys with the version 4 format.
I think it's a very good idea to attempt to migrate to the version
4 format if at all possible.  Many people are still using version
2.6.x of PGP because of its source available status.  This is
obviously a bad thing.  Those people should convert to GnuPG
which runs on most platforms (including microsoft windows).

Since most projects and developers do not yet have PGP keys and
webs of trust set up, it is logical to have them use version 4.
The projects which do have developers with version 2 and 3 keys
usually don't have webs of trust set up which makes it of little
cost to discard and replace the older keys.  In the case of a
project like Apache where there is an existing web of trust and
a number of version 2 and 3 keys, there will be a significant
cost to discard the older keys.  The cost of the elimination
of web of trust links is what I was referring to in the howto
by 'good reason not to do so' when I said:

"I strongly suggest that you revoke any version 2 or version 3
public keys and replace them with version 4 keys unless you
have good reason not to do so."

However, due to the weaknesses in version 3 keys, it makes
sense to attempt to start a migration in the Apache Project
and the ASF to the openPGP version 4 format keys.  Particularly
with a conference coming up where developers will hopefully
be able to get together and sign keys.  Obviously, there has
not been a compromise of the version 2 and version 3 formats
that imparts an immediate need to revoke older keys and discard
the links in the Apache Web of Trust.  But, in my opinion
there is still sufficient cause for migration to version
4.  Apache members can have both a new version 4 replacement
key and a well integrated version 2 or 3 key.  Hopefully,
the version 4 key will soon be well integrated and the
version 2 or 3 key can be revoked.  Until that time, a
reciprocal signature between the old and new keys of
an individual should provide for sufficient trust of
new keys.

It is just a suggestion.


	- VAB

- ---
V. Alex Brennen      <vab at cryptnet.net>
[ http://www.cryptnet.net/people/vab/ ]
[ http://www.advogato.org/person/vab/ ]
     C R Y P T O A N A R C H I S T
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQE7QhjX+pIJc5kqSz8RAiIYAKCBZmoTQY0ZsSiQ40WcEeZep9MI/wCeMLvo
1hSHI7Noy3/4lgZOVXzCRwI=
=XZ13
-----END PGP SIGNATURE-----





---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list