SHA1 being used despite public key preferences
John at Mozilla-Enigmail.org
Wed Oct 20 22:57:05 CEST 2010
Robert J. Hansen wrote:
> On 10/20/2010 3:08 PM, smu johnson wrote:
>> Sure, this is confusing, but since experts such as Bruce Schneier
>> say to quit using SHA-1...
> I like Bruce, and I think he does good work -- but appealing to
> authority here is simply a non-starter.
> In real-world systems you can't simply stop using an algorithm cold and
> start using something new. The overwhelming majority of times you have
> to establish a migration path to allow the system to continue operating
> as new capabilities are added to it and old capabilities removed.
Exactly Rob, there are still a lot of users out there whose PGP software cannot
handle the SHA-2 hashes. We shouldn't just throw them overboard and sail on.
I like Bruce too, but I think the recommendation being cited should be extended
with the clause "/for new work/". I have always sensed a strong sense of
pragmatism in the advice from the crypto gurus. I think it's well recommended
here as well.
> This process can take decades. Consider, e.g., that MD5 is still
> supported in GnuPG today -- it's hard for me to think of a hash
> algorithm more deprecated than MD5 (maybe, what, MD2, MD4?), but we've
> still got to support MD5. Maybe someday we can remove MD5 support
> altogether, but that won't be happening for a while yet.
One other little thing I got from our IETF friend Jeff: MD5 and SHA1 are both
hard-wired into a BUNCH of silicon as well as required by a lot of protocols.
THAT is the sort of change that will require decades.
John P. Clizbe Inet:John (a) Mozilla-Enigmail.org
FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or
mailto:pgp-public-keys at gingerbear.net?subject=HELP
Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 499 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-devel