SHA-1 recommendations
Werner Koch
wk at gnupg.org
Tue May 19 12:11:58 CEST 2009
On Sun, 17 May 2009 23:44, dkg at fifthhorseman.net said:
> cannot handle more stronger digest algorithms. For example RFC 4055
> (from June 2005) appears to list SHA-2 algorithms for X.509:
Well, this is an RFC but not the real world. You should consider RFCs
in the X.509 world as an attempt to document what some systems in some
special version may try to implement at some time.
The German signature law for example requires the use of SHA-256 since
this year. However there are a lot of problems, for example the need to
implement the gpgsm option --extra-digest-algo to allow verification
with gpgsm because some software used by the folks creating signatures
mixes SHA-1 and SHA-256 in an incompatible way.
I wish that X.509 would go away, too. However, no hunger and peace are
an easier goal than getting rid of X.509.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
More information about the Gnupg-devel
mailing list