laying groundwork for an eventual migration away from SHA1 with gpg

Robert J. Hansen rjh at
Mon May 11 04:46:15 CEST 2009

David Shaw wrote:
> I'm afraid that the plan document is going to result in scared people,
> and scared people do very dumb things.  I'm already seeing various
> pieces of posted advice around the net to do stuff like immediately
> switch to 4096-bit keys or force SHA256 via 'digest-algo', or use
> SHA512, or other things that can actually cause more harm than good. 

So here's an idea.  Why not write up a recommendation, get people of
repute within the community to put their names on it, then put it up
somewhere that people can see it?  Part of the problem we're facing is
that people are scared and doing foolish things, yes -- but a major part
of the problem is the lack of a coordinated message in response.

There has been a lot of good advice coming from people, but it's
scattershot, and drowns out in a sea of bad advice.  It would be helpful
to have a single, central recommendation.

If there's interest, I'll take a stab at a rough draft of it.

More information about the Gnupg-devel mailing list