SHA-1 recommendations

Werner Koch wk at
Tue May 19 12:11:58 CEST 2009

On Sun, 17 May 2009 23:44, dkg at said:

> cannot handle more stronger digest algorithms.  For example RFC 4055
> (from June 2005) appears to list SHA-2 algorithms for X.509:

Well, this is an RFC but not the real world.  You should consider RFCs
in the X.509 world as an attempt to document what some systems in some
special version may try to implement at some time.

The German signature law for example requires the use of SHA-256 since
this year.  However there are a lot of problems, for example the need to
implement the gpgsm option --extra-digest-algo to allow verification
with gpgsm because some software used by the folks creating signatures
mixes SHA-1 and SHA-256 in an incompatible way.

I wish that X.509 would go away, too.  However, no hunger and peace are
an easier goal than getting rid of X.509.



Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnupg-devel mailing list