SHA1 being used despite public key preferences

David Shaw dshaw at
Thu Oct 21 04:41:03 CEST 2010

On Oct 20, 2010, at 3:33 PM, Robert J. Hansen wrote:

> On 10/20/2010 3:08 PM, smu johnson wrote:
>> Sure, this is confusing, but since experts such as Bruce Schneier
>> say to quit using SHA-1...
> I like Bruce, and I think he does good work -- but appealing to
> authority here is simply a non-starter.
> In real-world systems you can't simply stop using an algorithm cold and
> start using something new.  The overwhelming majority of times you have
> to establish a migration path to allow the system to continue operating
> as new capabilities are added to it and old capabilities removed.

There is not an issue here about removing algorithms.  There is no way to remove SHA-1 without serious work, and nobody is suggesting such a thing here (nor would it even make sense to discuss it here rather than on the IETF list anyway).  This is more of a question as to the most generally useful default for signing:

a) SHA-1 (current behavior)
b) No preference (allows recipient to pick from available algorithms, including SHA-1, and defaulting to SHA-1 in case of disagreement)
c) Something else

(a) is current behavior.  I can see a reasonable case for (b) to help spread the use of other algorithms.  I'd love to hear about anyone's (c), especially if it is better than (a) or (b).

This is, of course, only the default behavior.  The signer is always free to change it to something they prefer.

> This process can take decades.  Consider, e.g., that MD5 is still
> supported in GnuPG today -- it's hard for me to think of a hash
> algorithm more deprecated than MD5 (maybe, what, MD2, MD4?), but we've
> still got to support MD5.  Maybe someday we can remove MD5 support
> altogether, but that won't be happening for a while yet.
>> This is my favourite solution.  This way, I won't have to ask every 
>> single newcomer to GnuPG sending me signed messages to request my key
>> prefs for digest algorithms.
> Why should your preferences affect what algorithms they elect to use for
> their signatures?  That would be like telling me, "Rob, I like
> WHIRLPOOL.  Therefore, use WHIRLPOOL when signing data."  To heck
> with that: I'm going to use SHA256, or whatever algorithm I like.

Well, sure.  You're the one originating the message, so you get to do whatever you like.  The recipient can only tell you what they can understand, and within that set, which they like the best.  You don't have to listen to them, but in some cases (like if they are telling you they can't understand a particular algorithm), you're best served by taking their information into consideration.


More information about the Gnupg-devel mailing list