Re: [PATCH] test: replace aging OpenPGP key used in the test suite

Subject: Re: [PATCH] test: replace aging OpenPGP key used in the test suite

Date: Thu, 22 Sep 2022 12:21:46 +0200

Am Do., 22. Sept. 2022 um 12:14 Uhr schrieb Justus Winter
<justus@sequoia-pgp.org>:
>
> Michael J Gruber <michaeljgruber+grubix+git@gmail.com> writes:
>
> > Am Do., 22. Sept. 2022 um 10:47 Uhr schrieb Justus Winter
> > <justus@sequoia-pgp.org>:
> >>
> >> This replaces the old OpenPGPv4 key that is used in the test suite
> >> with a more modern OpenPGPv4 key.  All cryptographic artifacts in the
> >
> > Both v4? Only one key file is named v4.
>
> Yes, the old key was also a v4 key.  In this context, OpenPGP v4 was
> standardized in 1998.  So when the old key was created, v4 was and has
> been for a long time *the* version of OpenPGP.  It didn't seem to make
> sense to specify the version.
>
> Now, v5 is around the corner, so it makes sense to make the version
> explicit.  That'll help when we introduce v5 artifacts.
>
> >> @@ -6,7 +6,7 @@ Message-ID: <simple-signed-mail@crypto.notmuchmail.org>
> >>  MIME-Version: 1.0
> >>  Content-Type: multipart/signed; boundary="=-=-=";
> >>   protocol="application/pgp-signature";
> >> - micalg=pgp-sha512
> >> + micalg=pgp-sha256
> >
> > You are downgrading the hash algo here and in the other regenerated
> > signatures. This is not wrong per-se, I'm just wondering whether it is
> > intentional (or forced by the standard) when the aim of this series is
> > future-proofing. sha256 is the current "replacement" for sha1, which
> > means it's the one which will be replaced next ;)
>
> Yes I am.  It happened when I re-created the signature.  Recreating the
> artifacts was somewhat tedious (I'm working on tooling for that, but the
> changes to notmuch I created by hand), so I opted for the easiest fix.
>
> WRT future proofing: SHA256 is the only mandatory to implement hash
> algorithm in v5 OpenPGP.  Therefore, when SHA256 falls, we will
> hopefully have specified v6 OpenPGP which moved to a new MTI hash
> algorithm.  So, for a v4 OpenPGP artifact, SHA256 is and will forever be
> more than appropriate.
>
> Best,
> Justus

Thanks for clarifying, sounds good to me!

Michael
_______________________________________________
notmuch mailing list -- notmuch@notmuchmail.org
To unsubscribe send an email to notmuch-leave@notmuchmail.org

Previous message (by thread): Re: [PATCH] test: replace aging OpenPGP key used in the test suite

Thread:

Justus Winter—[PATCH 1/2] test: compute expected keyid from fingerprint [inbox, notmuch::patch, notmuch::pushed, unread]
- Justus Winter—[PATCH 2/2] test: replace aging OpenPGP key used in the test suite [inbox, notmuch::moreinfo, notmuch::patch, unread]
  - Daniel Kahn Gillmor—Re: [PATCH 2/2] test: replace aging OpenPGP key used in the test suite [inbox, signed, unread]
  - David Bremner—Re: [PATCH 2/2] test: replace aging OpenPGP key used in the test suite [inbox, unread]
    - Justus Winter—[PATCH] test: replace aging OpenPGP key used in the test suite [inbox, notmuch::patch, notmuch::pushed, unread]
      - Michael J Gruber—Re: [PATCH] test: replace aging OpenPGP key used in the test suite [inbox, unread]
        Justus Winter—Re: [PATCH] test: replace aging OpenPGP key used in the test suite [inbox, signed, unread]
        Michael J Gruber—Re: [PATCH] test: replace aging OpenPGP key used in the test suite [inbox, unread]
      - Daniel Kahn Gillmor—Re: [PATCH] test: replace aging OpenPGP key used in the test suite [inbox, signed, unread]
      - David Bremner—Re: [PATCH] test: replace aging OpenPGP key used in the test suite [inbox, unread]
- Tomi Ollila—Re: [PATCH 1/2] test: compute expected keyid from fingerprint [inbox, unread]
  - Justus Winter—Re: [PATCH 1/2] test: compute expected keyid from fingerprint [inbox, signed, unread]
    - Daniel Kahn Gillmor—Re: [PATCH 1/2] test: compute expected keyid from fingerprint [inbox, signed, unread]
      - Tomi Ollila—Re: [PATCH 1/2] test: compute expected keyid from fingerprint [inbox, unread]