[PATCH] Allow printing key digests in key edit

Christian Aistleitner christian at quelltextlich.at
Mon Jan 30 14:36:20 CET 2012


Hello Werner,

on Mon, Jan 30, 2012 at 09:32:58AM +0100, Werner Koch wrote:
> On Sun, 29 Jan 2012 16:23, christian at quelltextlich.at said:
> 
> > Although SHA1 is considered to be broken by some, [...]
> 
> That is plain nonsense.

I suppose we all agree that among those who claim such "nonsense" are
for example renowned cryptographer Bruce Schneier [1]. For whatever
reason places like Apache.org also follow this nonsense [2].

Be things as they may, I haven't seen SHA-1 collisions growing on
trees since 2005 either :)

> > The patch added below, adds a "digest" command in the --edit-keys
> > menu, that allows to compute further digests of keys.
> 
> These are not defined by OpenPGP and thus I strongly advise against its
> use.  SHA-1 is an integral part of OpenPGP; it doesn't help if you come
> up with a different way of computing a fingerprint.

As written in the PS of my previous post [3], this patch is not to mangle
with OpenPGP business. It is not an attempt to replace the OpenPGP
fingerprint. It does not even touch any OpenPGP stuff within GnuPG.
It's solely about letting GnuPG (not general OpenPGP) users experiment.

Let the GnuPG users see, what the SHA2 digests look like.
Let them see how it feels to be "identified" by more bits.
This might help finding answers to questions like:
- Is it feasable to ask people to check printouts of SHA2 digests before
  coming to key-signing parties?
- Is it feasable to hold key-signing parties where SHA2 digests are
  compared live?
- Do people revolt against manually checking longer digests?

It is not about mangling with OpenPGP. OpenPGP and the patch do not
interfere.

It is about freedom; giving people access to further digests.
Letting people experiment.

Kind regards,
Christian


[1] http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
[2] http://www.apache.org/dev/openpgp.html#sha1
[3] Which you edited away for whatever reason.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: </pipermail/attachments/20120130/f1ad4d50/attachment.pgp>


More information about the Gnupg-devel mailing list