SHA-1 recommendations

[Daniel Kahn Gillmor]

On 05/18/2009 07:24 PM, David Shaw wrote:
> "Never" is perhaps too strong, but in for this particular issue, yes, I
> do think it's a less than good idea.  It puts forth a confusing message
> where GPG says one thing, but this additional document says something
> else.  If I felt that these sorts of actions were necessary, I'd argue
> to change the defaults in GPG and not use a secondary document at all.

The advantage to creating these documents (particularly those targeted
at more-sophisticated users, which i tried (but apparently failed) to do
with my initial blog post) is that it can create a "pilot" pool of folks
who can say "i've tried these settings for a while, and ran into these
problems", which can then inform a default settings change.

dkg wrote:

>> True.  For those who do not participate in the WoT, the choice of
>> cert-digest-algo is irrelevant, though (they don't interpret
>> certificates at all), so we can ignore those people in this
>> consideration.
> 
> That is unfortunately not true.  Just because they don't make their keys
> part of the public web of trust doesn't mean they don't certify each other.

I addressed those people later in the original message (though i don't
have good ideas for how to measure them).  I didn't mean to conflate
them with the group who uses the WoT but not the public keyservers.  I
consider the WoT to include the "dark" areas (i maintain several
certificates like this), as well as the areas in the public keyservers.

At any rate, i'm still interested in ideas about how we can know when a
change in the default cert-digest-algo would be warranted.  Suggestions?

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090518/8c5ce7db/attachment.pgp>