SHA-1 recommendations

David Shaw dshaw at
Mon May 18 20:16:23 CEST 2009

On May 18, 2009, at 2:04 PM, Daniel Kahn Gillmor wrote:

> On 05/18/2009 01:31 PM, David Shaw wrote:
>> I agree with you, except for the "exhaustive" part.  I see no wording
>> that states or even suggests that all possible algorithms supported  
>> need
>> to be listed.
> This is the line in question (split across pages in the RFC):
>   It is assumed that only algorithms listed are supported by the
>   recipient's software.

i.e. don't list it if you don't support it.

Since both PGP and GPG managed to read it the same way, and there is  
also a discussion as to what happens if if an implementation gets a  
message using an algorithm it doesn't list (something that would not  
be possible if all algorithms were listed), I don't think there is all  
that much confusion in the community as to what this means.


More information about the Gnupg-devel mailing list