| 1 |
On Friday 05 June 2009, Robin H. Johnson wrote: |
| 2 |
> On Fri, Jun 05, 2009 at 02:59:18PM +0200, Robert Buchholz wrote: |
| 3 |
... |
| 4 |
> > 2. It is not well designed (cryptographically) |
| 5 |
> > OpenGPG allows the usage of a set of cryptographic hash function to |
| 6 |
> > sign a document. This allows people to switch to a different |
| 7 |
> > function once attacks against one algorithm become known. This has |
| 8 |
> > been recently seen with SHA-1: |
| 9 |
> > http://www.debian-administration.org/users/dkg/weblog/48 |
| 10 |
> |
| 11 |
> I only stated that we need to offer GPG signing of commits. I did NOT |
| 12 |
> specify the content of commits, other than noting that the commit |
| 13 |
> message and the content needs to be signed together. |
| 14 |
|
| 15 |
I don't think I understood what you meant to say, sorry. As I understand |
| 16 |
the current proposal, it would be over the SHA-1 of the objects, the |
| 17 |
parent and the commit message. |
| 18 |
|
| 19 |
|
| 20 |
> > The git signing, however, relies on the collision resistance of |
| 21 |
> > SHA-1 as that algorithm is used to identify objects in the |
| 22 |
> > repository. We cannot migrate away from it easily. This has been |
| 23 |
> > discussed upstream at length and Linus pointed out that 'the |
| 24 |
> > "signed tags" security does depend on the hashes being |
| 25 |
> > cryptographically strong.': |
| 26 |
> > http://thread.gmane.org/gmane.comp.version-control.git/26106/focus= |
| 27 |
> >26125 |
| 28 |
> |
| 29 |
> The collision is going to come along anyway. |
| 30 |
> |
| 31 |
> Resigning would have to be done regardless of what we sign in Git. |
| 32 |
> Not sure if you followed more recent discussions than one in 2006. |
| 33 |
> The entire Git foodchain will suffer when it comes time to migrate |
| 34 |
> away from SHA-2. Presently discussions of it imply that it's to be |
| 35 |
> done probably as a versioned change, after the NIST hash competition |
| 36 |
> comes up with a viable answer. |
| 37 |
|
| 38 |
I have not seen any statements that would indicate they intended to |
| 39 |
switch ever, do you have a reference? I only found discussions as |
| 40 |
recent as April 2008. If it will be possible to use one (at that time) |
| 41 |
stronger hash function, my argument is defeated. I wanted to point out |
| 42 |
that right now they only support one function that is increasingly |
| 43 |
weakened, and I have the feeling upstream will only act once collisions |
| 44 |
become practical, which is -IMHO- too late. |
| 45 |
|
| 46 |
|
| 47 |
Robert |
Archives