1 |
Hi Ulrich, |
2 |
|
3 |
On Wed, Apr 6, 2022 at 6:38 PM Ulrich Mueller <ulm@g.o> wrote: |
4 |
> > Why? Then we're dependent on two things, either of which could break, |
5 |
> > rather than one. |
6 |
> |
7 |
> See? If either of these should happen, then we'll be happy that we still |
8 |
> have both hashes in our Manifest files. |
9 |
> |
10 |
> OTOH, if that argument is not relavant because the probability of both |
11 |
> is close to zero, then (from a security POV) it doesn't matter which of |
12 |
> the two hashes we remove. |
13 |
|
14 |
No, you're still missing the point. |
15 |
|
16 |
If SHA-512 breaks, the security of the system fails, regardless of |
17 |
what change we make. This is because GnuPG uses SHA-512 for its |
18 |
signatures. |
19 |
|
20 |
So I'll spell out the different possibilities: |
21 |
|
22 |
1) GPG uses SHA-512. Manifest uses SHA-512 and BLAKE2b. |
23 |
1a) Possibility: SHA-512 is broken. Result: system broken. |
24 |
1b) Possibility: BLAKE2b is broken. Result: nothing. |
25 |
|
26 |
2) GPG uses SHA-512. Manifest uses SHA-512. |
27 |
2a) Possibility: SHA-512 is broken. Result: system broken. |
28 |
2b) Possibility: BLAKE2b is broken. Result: nothing. |
29 |
|
30 |
3) GPG uses SHA-512. Manifest uses BLAKE2b. |
31 |
3a) Possibility: SHA-512 is broken. Result: system broken. |
32 |
3b) Possibility: BLAKE2b is broken. Result: system broken. |
33 |
|
34 |
See how from a security perspective, (2) is not worse than (1), but |
35 |
(3) is worse than both (1) and (2)? |
36 |
|
37 |
Jason |