SHA-1 recommendations

Daniel Kahn Gillmor dkg at
Mon May 18 20:04:44 CEST 2009

On 05/18/2009 01:31 PM, David Shaw wrote:
> I agree with you, except for the "exhaustive" part.  I see no wording
> that states or even suggests that all possible algorithms supported need
> to be listed.

This is the line in question (split across pages in the RFC):

   It is assumed that only algorithms listed are supported by the
   recipient's software.

i think you're reading this as:

   It is assumed that all algorithms listed are supported by the
   recipient's software.

or even:

   Implementations generating these subpackets SHOULD only list
   algorithms which are supported by the implementation.

but either of these modified versions change the meaning from a
statement about the software to a statement about what is listed.  If
that was the original intent, maybe we should propose it during the next
round of OpenPGP revisions?

anyway, this is some trivial/arcane RFC lawyering, and the question for
this list is what should be advertised by gpg.

I'd say that good openpgp tools should prefer stronger digests when they
support them, and should publicly advertise that fact, which is why i
proposed the new ordering.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090518/9716fb60/attachment.pgp>

More information about the Gnupg-devel mailing list