1 |
On Friday 05 June 2009, Robin H. Johnson wrote: |
2 |
> On Fri, Jun 05, 2009 at 02:59:18PM +0200, Robert Buchholz wrote: |
3 |
... |
4 |
> > 2. It is not well designed (cryptographically) |
5 |
> > OpenGPG allows the usage of a set of cryptographic hash function to |
6 |
> > sign a document. This allows people to switch to a different |
7 |
> > function once attacks against one algorithm become known. This has |
8 |
> > been recently seen with SHA-1: |
9 |
> > http://www.debian-administration.org/users/dkg/weblog/48 |
10 |
> |
11 |
> I only stated that we need to offer GPG signing of commits. I did NOT |
12 |
> specify the content of commits, other than noting that the commit |
13 |
> message and the content needs to be signed together. |
14 |
|
15 |
I don't think I understood what you meant to say, sorry. As I understand |
16 |
the current proposal, it would be over the SHA-1 of the objects, the |
17 |
parent and the commit message. |
18 |
|
19 |
|
20 |
> > The git signing, however, relies on the collision resistance of |
21 |
> > SHA-1 as that algorithm is used to identify objects in the |
22 |
> > repository. We cannot migrate away from it easily. This has been |
23 |
> > discussed upstream at length and Linus pointed out that 'the |
24 |
> > "signed tags" security does depend on the hashes being |
25 |
> > cryptographically strong.': |
26 |
> > http://thread.gmane.org/gmane.comp.version-control.git/26106/focus= |
27 |
> >26125 |
28 |
> |
29 |
> The collision is going to come along anyway. |
30 |
> |
31 |
> Resigning would have to be done regardless of what we sign in Git. |
32 |
> Not sure if you followed more recent discussions than one in 2006. |
33 |
> The entire Git foodchain will suffer when it comes time to migrate |
34 |
> away from SHA-2. Presently discussions of it imply that it's to be |
35 |
> done probably as a versioned change, after the NIST hash competition |
36 |
> comes up with a viable answer. |
37 |
|
38 |
I have not seen any statements that would indicate they intended to |
39 |
switch ever, do you have a reference? I only found discussions as |
40 |
recent as April 2008. If it will be possible to use one (at that time) |
41 |
stronger hash function, my argument is defeated. I wanted to point out |
42 |
that right now they only support one function that is increasingly |
43 |
weakened, and I have the feeling upstream will only act once collisions |
44 |
become practical, which is -IMHO- too late. |
45 |
|
46 |
|
47 |
Robert |