PGP is not in especially much danger due to the new results against SHA-1. The new attack is a birthday attack, not a preimage attack. PGP uses SHA-1 in several places, including some where it's "hard-wired" (i.e., parties can't specify any alternative hash algorithm), but there's only one where a birthday attack does any good: signing others' keys; this attack would work basically the same way as the one that produced the rogue SSL CA using an MD5 collision. Even here, this further requires a chosen-suffix attack, which this new advance is not; though I would not be surprised if one were discovered in the near future. Every other use of hash functions in PGP depends only on their one-wayness, not on collision-resistance.
Nonetheless, in light of the new results, the IETF Working Group on OpenPGP is likely to reconvene to produce a new version of the standard that doesn't depend on SHA-1. They're also currently discussing my suggestion to include a random salt at the beginning of the data that gets hashed for key signatures, effectively rendering the integrity of these signatures immune to birthday attacks. If this is done, and it likely will be, then PGP could probably get away even with using MD5 everywhere (not that I'm recommending this!).
If, in the interim, a chosen-suffix attack against SHA-1 is discovered, then signers can protect themselves by migrating their keys away from it as dkg advises. Also, only newly-made key signatures would be vulnerable. Key signatures made prior to the discovery of such an attack would not be compromised.
Maybe such moves shouldn't be started after an attack is demonstrated, but as soon as something better arrives. Researchers who publish their findings are not the people to fear. Those who find successful attacks and not make it public are the dangerous ones.
Indeed. Security researchers who embrace responsible disclosures should be thanked instead of being feared. Moves like these and the recent move towards eglibc from glibc really make Debian pretty progressive as a community imho.
Not sure how well thought out this decision is considering that SHA-1 has resisted preimage attacks for almost a decade longer than the SHA-2 family (since it is that much older).
Re-keying hundreds of developers as well as the entire Debian infrastructure seems like a pretty extreme reaction to a problem that doesn't actually exist.
Nonetheless, in light of the new results, the IETF Working Group on OpenPGP is likely to reconvene to produce a new version of the standard that doesn't depend on SHA-1. They're also currently discussing my suggestion to include a random salt at the beginning of the data that gets hashed for key signatures, effectively rendering the integrity of these signatures immune to birthday attacks. If this is done, and it likely will be, then PGP could probably get away even with using MD5 everywhere (not that I'm recommending this!).
If, in the interim, a chosen-suffix attack against SHA-1 is discovered, then signers can protect themselves by migrating their keys away from it as dkg advises. Also, only newly-made key signatures would be vulnerable. Key signatures made prior to the discovery of such an attack would not be compromised.