Use other hash than SHA-1
dshaw at jabberwocky.com
Tue May 5 05:46:33 CEST 2009
On May 4, 2009, at 1:40 PM, Christoph Anton Mitterer wrote:
> On Sun, 2009-05-03 at 22:56 -0400, David Shaw wrote:
>> It's important to remember that this isn't a completely SHA-1 free
>> key, as that is not currently possible in the OpenPGP protocol, but
>> is possible to make a "use as little SHA-1 as possible key".
> Is there anything else than the fingerprint for the revocation
> signatures and MDC?
I believe that's it. Fingerprints, revocation signatures (which use
fingerprints internally), and the MDC.
>> The end result will be a key that does not use SHA-1 either in its
>> internal construction or in signatures it makes elsewhere. Keep in
>> mind that there are some clients out there that simply cannot cope
>> with this key and will reject it with one failure message or another.
>> The most recent versions of either PGP or GPG can handle it just
> What would you suggest for existing RSA/DSA2 keys that always used
> for their self-sigs and cert-sigs on other keys?
> Should those be recreated with the "better" hash algo?
While I would start (did start, actually, a few years ago) using
SHA-256 to certify other people's keys, I wouldn't bother re-issuing
older SHA-1 certifications.
Re-issuing your self-sigs is more or less harmless. The keyservers
never delete anything, so they'll end up with both the old and new.
Assuming all works properly, the newer clients should end up using the
newer selfsig, and the older clients should keep using the old one (as
they won't be able to verify the new one). If you're distributing
your key outside of the keyservers, then you can go further and strip
off the old SHA-1 selfsig. If you do this, you can end up breaking
compatibility with some non-zero percentage of the community. The
exact amount of breakage depends on your particular circle of
correspondents and how often they upgrade, etc.
More information about the Gnupg-users