SHA-1 recommendations

Daniel Kahn Gillmor dkg at
Mon May 18 19:49:37 CEST 2009

On 05/18/2009 01:21 PM, David Shaw wrote:
> Understood, but I believe the quote from me that was used was from that
> context, so I wanted to make that context clear.  I don't really favor
> this sort of "here's how to transition everyone" document.

I think that Robert started the document in an attempt to address your
earlier concern that there was a lot of bad advice floating around on
the 'net:

Are you saying that you think such a document is a bad idea in general,
and you'd never consider endorsing such a thing?

Is there a better way to address the legitimate concern you've raised?

> Not all users of OpenPGP use the keyservers or even participate in the
> web of trust.  It's also used in various environments where keys are
> traded manually.

True.  For those who do not participate in the WoT, the choice of
cert-digest-algo is irrelevant, though (they don't interpret
certificates at all), so we can ignore those people in this consideration.

For people who do use the WoT, but exchange keys manually or don't use
the public keyserver network, i don't have a proposal for how to account
for them.  Do you?  I'm trying to understand when we'll know that it's
ok to switch the defaults.  At the moment, the decision seems to be
based on hunches/speculation about what kind of cryptanalytic attacks
are possible and the distribution of deployed tools.  Both of these data
points are hazy at best, and how we make the tradeoff between the two is
unclear as well.

It would be nice to have some more-concrete target or rationale that we
could use to judge when to make this transition.  I was proposing a
metric not because i thought it captured everything, but because it
seemed *more* grounded in reality than my current hunches.  I'd be happy
to see a better metric proposed, or an explicit timeline based on the
current best guesses.

>> * include the stronger SHA-2 digests which gpg supports, and
>> * re-order them in a clearly-stated way (i.e. commit to saying "gpg
>> interprets and produces the orderings as preferential, with most-desired
>> first"), and explicitly, publically prefer digests from the SHA-2 family
>> over SHA-1.
> I don't have a problem with this.   GPG does interpret the ordering as
> preferential (is there some source that says otherwise?).  The current
> default hash preference list is "SHA1 SHA256 RIPEMD160".  It's simple
> enough to juggle the list so that SHA256 comes first, etc.  I wouldn't
> want to put that into some extra document, though: it's a fairly small,
> and quite safe change.  I'd support changing the default for that.

OK, if that's a known assumption, i agree it doesn't need any sort of
additional formal document.  And i do think that gpg should change the
default preference list to be (for digests only -- i'm haven't looked
into ciphers enough to make a reasonable estimation):

  SHA512 SHA384 SHA256 SHA224 RIPEMD160 SHA1

I've left off MD5 even though gpg implements that digest algorithm in an
attempt to indicate that it is actively deprecated.  Any objections to
changing this default?  should i submit a patch?  Getting this rolled
into the version that produces new RSA+RSA key defaults would be nice, i


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090518/7bd72911/attachment-0001.pgp>

More information about the Gnupg-devel mailing list