please change the default hashing algorithm
flapflap
flapflap at riseup.net
Mon Jul 13 00:53:05 CEST 2015
Andrew Clausen:
> Hi GPG developers,
>
> By default, GPG uses the SHA1 hashing algorithm, which has been believed to be
> weak for over 10 years.[1] Is it possible to change the default over to
> SHA256?
>
> I understand that there are several different uses for hashing algorithms,
> governed by the personal-digest-preferences and cert-digest-algo options.
> I would think it makes sense to switch both of these over to SHA256, but
> it's much more important to switch over personal-digest-preferences.
>
> Previous email discussions on this list have mentioned some kind of
> compatibility concerns. If we can't switch both over immediately, are there
> any compatibility concerns with just switching personal-digest-preferences
> over?
>
> Cheers,
> Andrew
>
> [1] https://www.schneier.com/blog/archives/2005/02/sha1_broken.html
some additional opinions for the discussion:
The "OpenPGP Best Practices" of Riseup also recommend against choosing
SHA1 in some cases:
https://help.riseup.net/en/security/message-security/openpgp/best-practices#self-signatures-should-not-use-sha1
and also SHA1 is highlighted in red when querying the key status with
hopenpgp-tools:
$ hkt export-pubkeys <KEYID|UID> | hokey lint
Cheers,
flapflap
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150712/a45711e2/attachment-0001.sig>
More information about the Gnupg-devel
mailing list