SHA-1 deprecation timeline

[Robert J. Hansen]

> SHA-1 has been broken for the last 11 years...

No.  In fact, it still hasn't been broken today.  Don't scaremonger.
Scaremongering about crypto is one of the quickest ways to make me angry.

SHA-1 has failed to meet its cryptographic goals.  It is 'broken' in an
extremely narrow cryptanalytic sense.  There has been no break in it
which would result in OpenPGP messages being forgeable.  We definitely
need to migrate away from it (my first "please migrate away" message was
August 19, 2005; I've been banging this drum a *long* time), but we also
need to not spread misinformation and fear.

As far as the OpenPGP use case, SHA-1 is not yet broken.

> and people have been urging its removal for at least that long

Yes, people who don't understand a bloody thing about cryptographic
systems.  The people who write them for a living have instead understood
that SHA-1 needs to be supported for at least the next decade just to
interoperate with legacy systems and traffic.

Deprecating an optional algorithm (like MD5) is pretty easy.  Removing a
required algorithm (like SHA-1) is pretty tough.  And it starts by
editing the RFC to make the required algorithm optional, and then it
gets deprecated.

> GPG only disabled MD5 in June 2014...

It was deprecated long, *long* before that.

> How long will GPG users have to wait this time, and what has to happen to get a
> concrete timetable, like there has been for TLS since 2014?

Unless you've got a support contract with g10 Code, you've got no cause
to be talking like this.  Nobody here owes you a blessed thing.

You've already been told what has to happen.  Once the IETF OpenPGP
Working Group publishes a new RFC with guidance for what should be done
about SHA-1, GnuPG will implement that RFC in short order -- my guess is
within weeks.  The delay is in the Working Group, *not* GnuPG.