Re: 1024-bit RSA keys in danger of compromise

From: Hugh Pierce (hpierce@stutzmanpierce.com)
Date: 03/28/02 

From: "Hugh Pierce" <hpierce@stutzmanpierce.com>
To: <BUGTRAQ@securityfocus.com>, "Florian Weimer" <Weimer@CERT.Uni-Stuttgart.DE>
Date: Thu, 28 Mar 2002 14:47:06 -0500

Eroding the web of trust is indeed unfortunate, but these developments may
be too unnerving for some sections of crypto users to sit idle with the
possibility hanging over their heads of the NSA being able to break <1024
keys.
The article below covers both arguments well:

http://www.eweek.com/article/0,3658,s=712&a=24663,00.asp

Hugh

Hugh Pierce, Founder and CTO
STUTZMANPIERCE, INC.
Intelligence Based Information Security
www.stutzmanpierce.com

> "Lucky Green" <shamrock@cypherpunks.to> writes:
>
> > In light of the above, I reluctantly revoked all my personal 1024-bit
> > PGP keys and the large web-of-trust that these keys have acquired over
> > time.
>

From: "Florian Weimer" <Weimer@CERT.Uni-Stuttgart.DE>
> And this is certainly the wrong thing to do. Key revocations are not
> the proper way to deal with algorithmic weaknesses. Many people will
> follow your advice and destroy large parts of the web of trust, and we
> don't even know yet if there's a real threat (Bernstein himself said
> so a few weeks ago, for example).
>
> You don't revoke your keys just because someone can impersonate you,
> using bugs in a widespread OpenPGP implementation, do you?
>
> --
> Florian Weimer Weimer@CERT.Uni-Stuttgart.DE
> University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
> RUS-CERT +49-711-685-5973/fax +49-711-685-5898
>

Relevant Pages

  • Re: ASDF-INSTALL for CMUCL, CLISP, AllegroCL, and LispWorks - plus tutorial
    ... > AND I've established a trust relationship with them, ... thusly gaining multiple weakly trusted keys in one whopping step. ... as opposed to installation which will happen with every new ... > than simply downloading packages directly from people's pages, ...
    (comp.lang.lisp)
  • Re: Resource Guarding
    ... But its an *excellent* manual for how to handle resource guarding in ... dogs. ... other, he learns to trust you, and you have a handle on his behavior. ... Under those conditions, you handed him the keys to shiny Corvette, ...
    (rec.pets.dogs.behavior)
  • Re: Web of Trust (a revolution)
    ... * Never trust this key. ... So you can't have a cert signed by multiple ... Ought to be possible for people to visit companies' offices and sign their keys, ... SSL keys, I mean, for services. ...
    (Fedora)
  • Re: Finger Crossing Good
    ... > component in a cipher system that one doesn't quite trust, ... If one doesn't trust the people who handle the keys, ... > untrusted person giving a key to an untrusted cryptomodule, ... > than just betray the keys he enters; ...
    (sci.crypt)
  • Re: trust issues associated with Public Key Infrastructure?
    ... how can you trust, that the public key you have really ... CAs could issue certificates without checking owner identity ... Private keys could be disclosed by accident or on purpose ... False certificates could be inserted into browsers ...
    (comp.security.misc)