SHA1 being used despite public key preferences

David Shaw dshaw at jabberwocky.com
Thu Oct 21 04:59:20 CEST 2010


On Oct 20, 2010, at 4:57 PM, John Clizbe wrote:

> Robert J. Hansen wrote:
>> On 10/20/2010 3:08 PM, smu johnson wrote:
>>> Sure, this is confusing, but since experts such as Bruce Schneier
>>> say to quit using SHA-1...
>> 
>> I like Bruce, and I think he does good work -- but appealing to
>> authority here is simply a non-starter.
>> 
>> In real-world systems you can't simply stop using an algorithm cold and
>> start using something new.  The overwhelming majority of times you have
>> to establish a migration path to allow the system to continue operating
>> as new capabilities are added to it and old capabilities removed.
> 
> Exactly Rob, there are still a lot of users out there whose PGP software cannot
> handle the SHA-2 hashes. We shouldn't just throw them overboard and sail on.

The preferences system handles this case automatically.  If one of these users is a recipient, then the new hashes will not be used.  If one of these users is the signer, then (naturally) the new hashes will not be used.

New hashes are only used if both the sender and recipients agree they can handle them.

David




More information about the Gnupg-devel mailing list