1.3.6 cert signatures

Atom 'Smasher' atom at suspicious.org
Sat Jul 24 20:20:44 CEST 2004

Hash: SHA256

On Sat, 24 Jul 2004, David Shaw wrote:

> It's the obvious, but it's more than that.  It's also a lot more than
> "some older implementations".  There are vastly more installations of
> PGP and GnuPG that cannot understand SHA-256 than there are that can
> understand SHA-256.
> OpenPGP has a (partially deserved) reputation for being fiddly and
> difficult to get to work and rife with incompatibilities.  Every
> additional key out there that prevents, rather than helps,
> communication just adds to this reputation, and becomes one more
> barrier to people using it.  It's a community good to have keys that
> everyone can use.
> In immediate terms, even some encryption fans aren't likely to upgrade
> just so they can use your key - they'll send in cleartext, which
> pretty much defeats the purpose of you having a key.  Rather than gain
> additional security, you've actually lowered it to zero.  New users,
> or people who are just playing around with OpenPGP are going to be
> utterly baffled by your key, and have one more reason to give
> encryption up as too confusing for them.

i suspect that within my lifetime, SHA-1 will be too weak be taken 
seriously. with that possibility (or likelihood, depending on your 
paranoia) i think the standard should be thinking that far ahead, and 
require larger hashes to be recognized... or at least encourage their use, 
since there will obviously be ~some~ applications where it would be too 
much of a burden.

what's the point of having a 2048 (or larger) signing key, if that key is 
only signing a 160 bit hash? it seems that nothing is gained by the larger 
signing key. i don't think this helps, in the long term.

there are still people who use PGP-2, but that doesn't obligate me to use 
MD5 and IDEA. there will *always* be vintage/obsolete applications out 
there, but that shouldn't prevent (or discourage) someone from using 
what's available. (i often get mail from people and notice the "Version" 
header is from an old version of GnuPG... i let them know what's current, 
and i've almost always been thanked for pointing that out.)

i ~think~ i understand your challenge as a developer here... that the 
application must understand how something is used, and have a large enough 
base that can _understand_ that feature, before that feature can safely be 
"turned on".

that said, at what point would you feel comfortable "turning on" SHA-256 
(or larger) cert hashes?

BTW 1) my 4096-RSA key has a DSA and elgamal subkey (with SHA-1 cert 
hashes) and RSA signing & encryption subkeys (with SHA-256 cert hashes). 
if someones application chokes on the SHA-256 certs, they should still be 
able to use the older subkeys. i haven't yet heard from anyone having 
trouble with this.

BTW 2) i've been exchanging key signatures with people and signing their 
keys with SHA-256. again, no complaints.


  PGP key - http://atom.smasher.org/pgp.txt
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808

 	When cryptography is outlawed,
Version: GnuPG v1.3.6 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures


More information about the Gnupg-devel mailing list