Question about history of hash and cipher collections

David Shaw dshaw at
Tue Jan 15 17:52:04 CET 2008

On Tue, Jan 15, 2008 at 08:12:08AM -0700, Kevin Hilton wrote:
> I dont have any feelings or objections about any of the ciphers or
> hashes included or excluded (ok maybe serpent should be included),
> however I can imagine that deleting old ciphers and hashes would cause
> a problem with backwards compatibility.  Why md5 and cast5 are still
> included is beyond me, other than for backwards compatibility.

Choosing algorithms in OpenPGP is always a delicate balancing act
between technical issues, politics, and market forces.

Is the algorithm strong[1]?  Is the key length long enough?  Has it
been used in the past and a zillion keys have it in their preferences?
Will inclusion of the algorithm into OpenPGP allow use of OpenPGP in a
new industry (some industries in some countries have legally-mandated
algorithms), and so on.

CAST5 is a fine cipher and meets all the above criteria.  Don't assume
that just because it's older than AES, it's worth removing.  3DES is
the oldest cipher in OpenPGP (dating back to the 1970s) and it still
meets all the above criteria.  Arguably, it's better in some ways than
the newer ciphers as it's been actively studied and attacked since the
1970s and still hasn't fallen.

MD5 was effectively removed from OpenPGP.  RFC-4880 says:

  Implementations MUST NOT generate new signatures using MD5 as a hash
  function. They MAY continue to consider old signatures that used MD5
  as valid.

That's as close as removal as is realistic, given the huge number of
existing signatures using MD5 that are out there.

> Lastly, who is this governing body that decides what algorithms should
> be included? The IETF OpenPGP group?  As a regular user of gpg, but
> novice when it comes to the history of PGP/GPG this discussion on the
> history/politics of GPG/PGP has been very interesting for me.


[1] I'm defining "strong" here in the loose sense of there are no
    workable attacks against it.  Remember that SHA-1 was broken, but
    it still in daily use as the break didn't reduce its strength
    enough for a workable attack.

More information about the Gnupg-users mailing list