Weaknesses in SHA-1

[Alan S. Jones]

I would be curious if anyone knows what the commercial PGP app supports
also for a good comparison.  I think it would be helpful not just for
rumored weaknesses, but for over all compatibility knowledge.  Maybe an
ongoing table we could keep current.

I know t hat SHA-1 has been analyzed more then SHA256, SHA384, or SHA512
thus could actually be stronger.  However why not let people create keys
with those algorithms also in 1.4?


On a side note I know that the 1.3.x series will become the new stable 1.4.
 However I was wondering when we would see the first builds that actually
said  1.4 come along?  I figure we will see a much more use of that build
series when it actually says 1.4.


Alan





>
>gpg --version
>
>In 1.2.x, GnuPG supports MD5, SHA1, and RIPEMD160.  It also supports
>SHA256 read-only (you can verify existing signatures made with SHA256,
>but not make new ones).  If you compile it with the right options, you
>can get SHA384 and SHA512 read-only.  TIGER192 is allowed, but
>discouraged.
>
>In 1.4, GnuPG will suppports MD5, SHA1, RIPEMD160, and SHA256.  It
>will support SHA384 and SHA512 read-only.  TIGER192 is removed.
>
>David





 
--
Alan S. Jones
asj at ipa.net
http://users.ipa.net/~asj