Robert J. Hansen rjh at sixdemonbag.org
Tue Oct 17 11:57:59 CEST 2006

Lionel Elie Mamane wrote:
> So, the signed data contains (via a hash) the hash algorithm, which 
> constitutes a hash function firewall. Do you have any argument to say
>  it is not "satisfactory"?

I just got this email today, despite the fact it's a response to a
message from September 29.  I figure that either Lionel was delayed in
responding to mail or else my mailserver ate something in a big way.

Either way, my response is the same.  I'll quote David Shaw, again from
September 29:


On Fri, Sep 29, 2006 at 07:11:12AM +0200, Lionel Elie Mamane wrote:
> ... Version 3 DSA signatures lack a hash firewall. But version 4 DSA
> signatures do have a hash firewall. The version refers not to a
> version of DSA itself, but the version of the OpenPGP packet format
> being used.

This is not correct. No DSA signatures in OpenPGP, whether v3 or v4,
have a hash firewall.

> > - RSA does support "firewalled hashes".
> All RSA signatures (V3 or V4) do have a hash firewall, yes.


It's important to not focus unduly on one thing. This gives hash
firewalls too much import. Today it's hash firewalls. Yesterday it
was hash length. Before that it was key size, etc, etc.


... I've edited David's response slightly for space concerns, but I
think I've quoted him accurately.

I agree with David that the lack of a HFF is not the end of the world.
However, it's something that sets off my own twitch sensors and causes
me to look to RSA instead.

More information about the Gnupg-devel mailing list