customizing PGP

Werner Koch wk at
Thu Feb 12 13:54:39 CET 2015

On Tue, 10 Feb 2015 21:38, rjh at said:

> The standard requires SHA-1 be present and that it be used in certain
> cases.  If GnuPG deviates from that, GnuPG is no longer
> OpenPGP-conformant.  GnuPG's entire mission statement is to be a
> conformant implementation of the OpenPGP and S/MIME standards.

To add on this: And allow decryption/verification of data created a long
time ago - even in a distant future.  This is the purpose of a standard.

Look at the outcry of some after having removed PGP-2 support form 2.1.
PGP-2 is really old and for various reasons (see discussions on this
list) it was decided that removing it is a good idea as long as we keep
on maintaining a version which supports PGP-2 keys.

A few years back when PRZ was still in the PGP business he put quite
some effort into convincing us implementors to comply with the standard
and limit the number of different algorithms for the sake of better
interoperability.  Bernd you are asking to ignore the standard.

If someone creates a signature using SHA-1, why should one be concerned?
It is their decision to do that and you can't control that.  You can't
control either whether they have opened their box to the world by using
inscure, broken, or backdoored software.

The hardwired use of SHA-1 is not an immediate problem if you look at
the attack tree.  The major obstacle is that it slows down bulk
encryption due to its use in the MDC.  That can be changed but it will
take some years before that can actually be used.  I am actually keen to
start working on an extesion to use OCB mode instead of CFB+MDC.

Yes, I know that the use of the SHA-1 fingerprint in some OpenPGP
features is a bit problematic but it is something we can live with for

We keep on doing what we have ever done: Add new algorithms, deploy
software implementing them and eventually start to use them.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list