I’ve always looked at GPG subkeys with a bit of fascination, thinking it’s the thing that separates GPG aristocrats from ignorant crypto-peasants like myself. Turns out that, while the idea of having master and slave keys is cryptographically sound, the GPG implementation is insecure.
As usual, #bitcoin-assets has it, and tells us exactly why.
Yes, the reason is simply that what glues the master and the sub together, is a SHA1 hash. According to Schneier it cost ~$3mn in 2012 to find an arbitrary SHA1 collision. That alone is grounds to burn the whole thing down.
Now imagine what the figure has become in 2015, when the Bitcoin-world has spent the last six years relentlessly looking for more efficient ways to bruteforce the living crap out of SHA2.
One of the reasons, among others, that re-doing GPG has been on #b-a’s TODO for a while.