Use other hash than SHA-1

[David Shaw]

On May 4, 2009, at 1:40 PM, Christoph Anton Mitterer wrote:

> On Sun, 2009-05-03 at 22:56 -0400, David Shaw wrote:
>> It's important to remember that this isn't a completely SHA-1 free
>> key, as that is not currently possible in the OpenPGP protocol, but  
>> it
>> is possible to make a "use as little SHA-1 as possible key".
> Is there anything else than the fingerprint for the revocation
> signatures and MDC?

I believe that's it.  Fingerprints, revocation signatures (which use  
fingerprints internally), and the MDC.

>> The end result will be a key that does not use SHA-1 either in its
>> internal construction or in signatures it makes elsewhere.  Keep in
>> mind that there are some clients out there that simply cannot cope
>> with this key and will reject it with one failure message or another.
>> The most recent versions of either PGP or GPG can handle it just  
>> fine.
> What would you suggest for existing RSA/DSA2 keys that always used  
> SHA1
> for their self-sigs and cert-sigs on other keys?
> Should those be recreated with the "better" hash algo?

While I would start (did start, actually, a few years ago) using  
SHA-256 to certify other people's keys, I wouldn't bother re-issuing  
older SHA-1 certifications.

Re-issuing your self-sigs is more or less harmless.  The keyservers  
never delete anything, so they'll end up with both the old and new.   
Assuming all works properly, the newer clients should end up using the  
newer selfsig, and the older clients should keep using the old one (as  
they won't be able to verify the new one).  If you're distributing  
your key outside of the keyservers, then you can go further and strip  
off the old SHA-1 selfsig.  If you do this, you can end up breaking  
compatibility with some non-zero percentage of the community.  The  
exact amount of breakage depends on your particular circle of  
correspondents and how often they upgrade, etc.

David