laying groundwork for an eventual migration away from SHA1 with gpg

Daniel Kahn Gillmor dkg at
Mon May 11 07:21:04 CEST 2009

On 05/10/2009 10:46 PM, Robert J. Hansen wrote:
> So here's an idea.  Why not write up a recommendation, get people of
> repute within the community to put their names on it, then put it up
> somewhere that people can see it?  Part of the problem we're facing is
> that people are scared and doing foolish things, yes -- but a major part
> of the problem is the lack of a coordinated message in response.
> There has been a lot of good advice coming from people, but it's
> scattershot, and drowns out in a sea of bad advice.  It would be helpful
> to have a single, central recommendation.

I basically wrote that blog entry because i didn't see any concrete
recommendations coming out, felt that something was needed, and i took
my best shot at it.  I would really welcome clear recommendations (and
descriptions of forseen problems) from experienced people.

> If there's interest, I'll take a stab at a rough draft of it.

I'd be very interested to read a draft, thanks for offering.  If you're
willing to publish it, i'd certainly link to such a statement from my
blog post (which appears to have caused a stir within debian), whether
it ends in general agreement or in sharp criticism.

Thanks for the discussion,


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090511/96d50859/attachment.pgp>

More information about the Gnupg-devel mailing list