SHA3 IANA registration - method?

David Shaw dshaw at
Thu Dec 13 16:47:27 CET 2012

On Dec 12, 2012, at 4:09 PM, Andrey Jivsov <openpgp at> wrote:

> I wrote a draft to support SHA-3 Keccak in OpenPGP.
> I slowed down thinking about what to do about SHA1 fingerprints before I was distracted by unrelated things. My thought was that perhaps this draft should be used to resolve the issue of a SHA1 fingerprint by introducing a hardwired Keccac fingerprint.
> Ignoring the fingerprint issue, the rest of the spec should be straighforward. I am attaching the document that I created.

I'm pretty against combining the fingerprint issue and SHA-3.  They're not really related, and combining them just ensures that the SHA-3 draft (which should be trivial and noncontroversial) will take many months if not longer.  Changing fingerprints touches a huge amount of deployed code and needs careful design, but SHA-3 just needs an algorithm number allocated.

I'm all for a SHA-3 draft on its own, but is SHA-3 in a state where a draft is appropriate?  There is no OID yet, and there is no RFC to refer to (there isn't even a NIST spec to refer to).

I'd wait a little while until these things are finished, and then the OpenPGP SHA-3 draft can just point to them.


More information about the Gnupg-devel mailing list