1.3.6 cert signatures

David Shaw dshaw at jabberwocky.com
Sat Jul 24 14:06:01 CEST 2004

Hash: SHA1

On Sat, Jul 24, 2004 at 12:00:04AM -0400, Atom 'Smasher' wrote:
> On Fri, 23 Jul 2004, David Shaw wrote:
> > On Fri, Jul 23, 2004 at 05:50:41PM -0400, Atom 'Smasher' wrote:
> >> should "personal-digest-preferences" affect cert signatures?
> >>
> >> or is that too broad an interpretation of the intent?
> >
> > Yes.  Changing the digest for cert signatures is something that GnuPG
> > supports for protocol completeness, but it's one of those things that
> > you should never do unless you really, really know what you are doing.
> > And even then you probably shouldn't do it.
> ====================
> what problems should i expect if i use SHA-256 on keybinding and cert 
> signatures? (aside from the obvious, that some older implementations won't 
> be able to handle it)

It's the obvious, but it's more than that.  It's also a lot more than
"some older implementations".  There are vastly more installations of
PGP and GnuPG that cannot understand SHA-256 than there are that can
understand SHA-256.

OpenPGP has a (partially deserved) reputation for being fiddly and
difficult to get to work and rife with incompatibilities.  Every
additional key out there that prevents, rather than helps,
communication just adds to this reputation, and becomes one more
barrier to people using it.  It's a community good to have keys that
everyone can use.

In immediate terms, even some encryption fans aren't likely to upgrade
just so they can use your key - they'll send in cleartext, which
pretty much defeats the purpose of you having a key.  Rather than gain
additional security, you've actually lowered it to zero.  New users,
or people who are just playing around with OpenPGP are going to be
utterly baffled by your key, and have one more reason to give
encryption up as too confusing for them.

Version: GnuPG v1.3.6-cvs (GNU/Linux)


More information about the Gnupg-devel mailing list