Weaknesses in SHA-1

David Shaw dshaw at jabberwocky.com
Wed Sep 22 20:45:38 CEST 2004


On Tue, Sep 21, 2004 at 09:59:28PM -0500, Alan S. Jones wrote:
> I would be curious if anyone knows what the commercial PGP app supports
> also for a good comparison.  I think it would be helpful not just for
> rumored weaknesses, but for over all compatibility knowledge.  Maybe an
> ongoing table we could keep current.

The best table I've seen on the subject:
  https://netfiles.uiuc.edu/ehowes/www/pgp-summ.htm

It's a little out of date though, only going up to GnuPG 1.2.1.

> I know t hat SHA-1 has been analyzed more then SHA256, SHA384, or SHA512
> thus could actually be stronger.  However why not let people create keys
> with those algorithms also in 1.4?

I'm not sure what you mean here - these are hash algorithms.  You
don't create a key using them.

> On a side note I know that the 1.3.x series will become the new
> stable 1.4.  However I was wondering when we would see the first
> builds that actually said 1.4 come along?  I figure we will see a
> much more use of that build series when it actually says 1.4.

It won't be long now.

David



More information about the Gnupg-devel mailing list