Skip to Content.
Sympa Menu

cacert-devel - Re: Security Issue https://bugs.cacert.org/view.php?id=1473

Subject: CAcert Code Development list.

List archive

Re: Security Issue https://bugs.cacert.org/view.php?id=1473


Chronological Thread 
  • From: Gero Treuner <gero-cacert AT innocircle.com>
  • To: cacert-devel AT lists.cacert.org
  • Subject: Re: Security Issue https://bugs.cacert.org/view.php?id=1473
  • Date: Mon, 6 Jan 2020 13:57:35 +0100

Hi Ted and all,

On Mon, Jan 06, 2020 at 01:04:44PM +0100, Bernhard Fröhlich wrote:
[...]
> Now it has been quite some time when I worked wit GPG, so can anyone make
> some proposal about how to proceed? Specifically I have the following
> questions:
>
> * Which version is needed to use a more current signature algorythm?

From the changelog:

Noteworthy changes in version 1.3.3 (2003-10-10)
------------------------------------------------

* Full (read/write) support for the SHA-256 hash has been added.

I also looked for SHA-512, but changelog says nothing about write
support. In the oldest version 1.4.12 available for me from ~2012
it is listed as supported hash algo.

> * Which version do we have installed on the signer server? (I can
> probably find this out myself, but it will be some work...)
> * What would be the changes needed? Is a different command line needed
> or would a new version automatically use a new algorythm?

From the changelog ;-)

Noteworthy changes in version 1.4.10 (2009-09-02)
-------------------------------------------------

* 2048 bit RSA keys are now generated by default. The default
hash algorithm preferences has changed to prefer SHA-256 over
SHA-1. 2048 bit DSA keys are now generated to use a 256 bit
hash algorithm


So it depends on the version installed - if it is 1.4.10 or newer SHA-1
must be explicitely specified on the command line or in a configuration
right now, requiring it to be changed.

If GPG 2.x is installed we don't have to worry about supported
algorithms, also we probably require a change in the command line.

> An alternative to fixing the problem would also be to disable GPG signing,
> temporarily or forever. This would be a "political" decision made by board
> or policy group, but they'll need some "technical opinions" to discuss
> about.
>
> As far as I am concerned, GPG signing is not very useful for me. And some
> chatter seems to imply that at least key servers and "large scale key
> signing" is being deprecated more and more. So are there any other opinions?

I know people who sign their keys with CAcert. Although the PGP WoT and
keyservers are not widely accepted, signing by CAs seems to be among
most useful applications left for PGP (maybe besides autocrypt, which is
a different story).

So I propose to keep it.


Kind regards,
Gero



Archive powered by MHonArc 2.6.18.

Top of Page