SHA3 IANA registration - method?

David Shaw dshaw at
Wed Dec 12 17:04:57 CET 2012

On Dec 12, 2012, at 5:46 AM, Phil Pennock <gnupg-devel at> wrote:

> Sorry for asking here, but mail to <ietf-openpgp-request at> is
> bouncing, so it looks as though the ietf-openpgp list is now completely
> dead.  The only IETF forum I can spot is the concluded openpgp WG:

The IETF OpenPGP WG completed their work, so that list was closed.  There is another list, however, for ongoing discussions:  That would be the appropriate place to discuss adding SHA-3 support to OpenPGP.

> So: what's the best mechanism for registering a "Hash Algorithms" entry
> in for
> SHA-3 ?  RFC without implementation or implementation based on PRIVATE
> USE code-points and then RFC?

It's pretty simple to propose a new algorithm for OpenPGP: discuss it on the OpenPGP list, and then write and submit an RFC.  The RFC is mainly boilerplate that says "This extends OpenPGP, here's a new hash algorithm, it's specified in such-and-such document, and its algorithm number is XXX.  All the usual statements about hash algorithms from RFC-4880 apply here as well."  IANA changes XXX to the algorithm number on publication.  Take a look at the one I did for Camellia ( and feel free to steal any or all of it.

> I'm guessing that a working implementation using a PRIVATE USE
> code-point, per RFC4880 section 13.10, is a decent way to go?  Or is PGP
> one of the protocols where folks have settled on avoiding private use
> fields because of the difficulty in migrating away from them?

The private algorithm numbers are useful for internal use and testing, but I would not ship code that uses them, except for interop testing and similar.  Otherwise, the private algorithm number effectively becomes public, and implementers need to support the real number and the temporary private number for a long time, if not indefinitely.


More information about the Gnupg-devel mailing list