Tiger and SHA2 in gpg 1.2.0

David Shaw dshaw@jabberwocky.com
Tue Sep 24 21:25:02 2002


On Mon, Sep 23, 2002 at 09:35:02PM +0200, Johan Wevers wrote:
> David Shaw wrote:
> 
> > SHA2 is not part of the official GnuPG.
> 
> I know, but I can still want to use it. Is this still possible?

You would need to use a patched version.  I think you can get the
patch at www.nullify.org.

> > Note there are many good reasons not to use TIGER.
> 
> Like what? Is it a weak hash, or is its strength not very well
> researched? I know that its size of 192 bits causes problems with
> the DSA standards.

My concern is with interoperability.  TIGER isn't fully specified in
OpenPGP, as it does not have an OID number.  The OID used in GnuPG is
a dummy placeholder.  This means that once the real OID is assigned,
it will not be compatible with TIGER signatures made with the dummy.
Also, GnuPG is the only implementation that has TIGER support at all -
if you use it, only other GnuPG users will be able to verify your
signatures.  Finally, as you say, at 192 bits it can only be used with
RSA signatures.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson