SHA1 being used despite public key preferences

David Shaw dshaw at jabberwocky.com
Thu Oct 21 04:56:24 CEST 2010 

On Oct 20, 2010, at 4:11 PM, Daniel Kahn Gillmor wrote:

> On 10/20/2010 02:52 PM, David Shaw wrote:
>> GnuPG itself defaulted to "RIPEMD/160 SHA-1" when generating keys.  The surprise was from those people who hadn't changed anything on their key - one day they were using SHA-1, then after upgrading GnuPG to the version that actually made use of the hash preferences, they would suddenly find themselves using RIPEMD/160.

> So it sounds to me like you're saying people were surprised that they
> were suddenly respecting *other* people's stated preferences for digest
> algorithms that their OpenPGP implementation happens to support.

Yes, exactly.  I meant it as "...find themselves using RIPEMD/160 when issuing signatures for those recipients".

> let me see if i've got this right:
> 
> default-preference-list determines what the stated preference should be,
> which is published in the self-sig on the user's own key.  That is, it's
> for other people who want to sign things for me to verify.  For example,
> on my key, it answers the question "what digest would dkg prefer people
> to use when sending him signed mail?"

Yes.

> personal-digest-preferences determines what digests the *user* would
> prefer to use.  In my own GnuPG configuration, it says "which digests
> would i prefer to make signatures over?"

Yes.

> The choice of a digest for any particular signature takes into account
> the published preferences of the recipients, along with the
> --personal-digest-preferences of the signer.

Yes, that's it.  The algorithm works by finding all of the digest algorithms that are listed for all recipients.  SHA-1 is always part of this set, even if nobody explicitly lists it.  Then, if the signer has personal-digest-preferences set, we work our way down that list in ranked order until we find an algorithm that is in the set and is usable at all (remember that a large DSA key can't use smaller hashes).  If the signer does not have personal-digest-preferences set, we pick the most highly ranked usable algorithm for all the recipients (i.e. we try and make the recipients happy by picking their more-favored algorithms rather than their least-favored).  The end result of this guarantees that a) we pick an algorithm that everyone can handle, and b) we pick what the sender desires, if the sender expresses an opinion, and a generally high-ranked algorithm otherwise.

David

More information about the Gnupg-devel mailing list