Use other hash than SHA-1

David Shaw dshaw at
Wed May 6 04:16:17 CEST 2009

On May 5, 2009, at 5:21 PM, Christoph Anton Mitterer wrote:

> On Mon, 2009-05-04 at 23:46 -0400, David Shaw wrote:
>> Re-issuing your self-sigs is more or less harmless.  The keyservers
>> never delete anything, so they'll end up with both the old and new.
> I'm not sure if this leads to the same discussion that we had some  
> time
> ago on the WG-list (about explicitly revoking previous self-sigs),...
> but if a key has self-sigs with different hash-algos,... does this
> "allow" downgrad-attacks or that like?

It depends on the attack.  What is the attack you are concerned about?

>> Assuming all works properly, the newer clients should end up using  
>> the
>> newer selfsig, and the older clients should keep using the old one  
>> (as
>> they won't be able to verify the new one).
> Even when they see, that the self-sig with the "better" algo, has a
> newer creation date?
> Would consider this critical :/

They mustn't do this.  They can't, really.  It would enable a pretty  
trivial DoS if I could make up a bogus self-sig with some hash number  
that isn't even allocated yet, but a later date, and send it to a  
keyserver to be attached to my victim key.  GPG must treat any  
signature that does not verify as irrelevant.


More information about the Gnupg-users mailing list