1 |
>>>>> On Wed, 06 Apr 2022, Jason A Donenfeld wrote: |
2 |
|
3 |
> So I'll spell out the different possibilities: |
4 |
|
5 |
> 1) GPG uses SHA-512. Manifest uses SHA-512 and BLAKE2b. |
6 |
> 1a) Possibility: SHA-512 is broken. Result: system broken. |
7 |
> 1b) Possibility: BLAKE2b is broken. Result: nothing. |
8 |
|
9 |
> 2) GPG uses SHA-512. Manifest uses SHA-512. |
10 |
> 2a) Possibility: SHA-512 is broken. Result: system broken. |
11 |
> 2b) Possibility: BLAKE2b is broken. Result: nothing. |
12 |
|
13 |
> 3) GPG uses SHA-512. Manifest uses BLAKE2b. |
14 |
> 3a) Possibility: SHA-512 is broken. Result: system broken. |
15 |
> 3b) Possibility: BLAKE2b is broken. Result: system broken. |
16 |
|
17 |
> See how from a security perspective, (2) is not worse than (1), but |
18 |
> (3) is worse than both (1) and (2)? |
19 |
|
20 |
No it isn't. We can replace the top-level signature easily, but |
21 |
replacing all Manifest hashes in the tree is hard (i.e. 1a and 3a are |
22 |
trivial to fix, but 2a and 3b aren't). |
23 |
|
24 |
I've said this multiple times now, so I'm out of here. |
25 |
|
26 |
Ulrich |