1.3.6 cert signatures
atom at suspicious.org
Sat Jul 24 20:20:44 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
On Sat, 24 Jul 2004, David Shaw wrote:
> It's the obvious, but it's more than that. It's also a lot more than
> "some older implementations". There are vastly more installations of
> PGP and GnuPG that cannot understand SHA-256 than there are that can
> understand SHA-256.
> OpenPGP has a (partially deserved) reputation for being fiddly and
> difficult to get to work and rife with incompatibilities. Every
> additional key out there that prevents, rather than helps,
> communication just adds to this reputation, and becomes one more
> barrier to people using it. It's a community good to have keys that
> everyone can use.
> In immediate terms, even some encryption fans aren't likely to upgrade
> just so they can use your key - they'll send in cleartext, which
> pretty much defeats the purpose of you having a key. Rather than gain
> additional security, you've actually lowered it to zero. New users,
> or people who are just playing around with OpenPGP are going to be
> utterly baffled by your key, and have one more reason to give
> encryption up as too confusing for them.
i suspect that within my lifetime, SHA-1 will be too weak be taken
seriously. with that possibility (or likelihood, depending on your
paranoia) i think the standard should be thinking that far ahead, and
require larger hashes to be recognized... or at least encourage their use,
since there will obviously be ~some~ applications where it would be too
much of a burden.
what's the point of having a 2048 (or larger) signing key, if that key is
only signing a 160 bit hash? it seems that nothing is gained by the larger
signing key. i don't think this helps, in the long term.
there are still people who use PGP-2, but that doesn't obligate me to use
MD5 and IDEA. there will *always* be vintage/obsolete applications out
there, but that shouldn't prevent (or discourage) someone from using
what's available. (i often get mail from people and notice the "Version"
header is from an old version of GnuPG... i let them know what's current,
and i've almost always been thanked for pointing that out.)
i ~think~ i understand your challenge as a developer here... that the
application must understand how something is used, and have a large enough
base that can _understand_ that feature, before that feature can safely be
that said, at what point would you feel comfortable "turning on" SHA-256
(or larger) cert hashes?
BTW 1) my 4096-RSA key has a DSA and elgamal subkey (with SHA-1 cert
hashes) and RSA signing & encryption subkeys (with SHA-256 cert hashes).
if someones application chokes on the SHA-256 certs, they should still be
able to use the older subkeys. i haven't yet heard from anyone having
trouble with this.
BTW 2) i've been exchanging key signatures with people and signing their
keys with SHA-256. again, no complaints.
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
When cryptography is outlawed,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (FreeBSD)
Comment: What is this gibberish?
-----END PGP SIGNATURE-----
More information about the Gnupg-devel