howto secure older keys after the recent attacks

Philippe Cerfon philcerf at
Thu Sep 10 23:38:58 CEST 2009

On Thu, Sep 10, 2009 at 5:08 PM, David Shaw <dshaw at> wrote:
> The real headache here is (as always) the practical - what to do with
> existing keys and such.  I suspect that removing SHA1 would effectively mean
> a new key type for OpenPGP (again, not a disaster - we're on our 4th key
> type today).

Ok,.. but then people would "loose" all their collected signatures on
their keys and to other keys :-(

> That isn't to say there aren't differences between systems - the FreeBSD
> PRNG (which seems to have been inherited by OSX) is of a fairly different
> construction than the Linux one, which has led to some mild controversy in
> the past.  Notably, the Linux one blocks if you run out of gathered entropy,
> and the FreeBSD one does not.  FreeBSD /dev/random is similar to Linux's
> /dev/urandom.

So I better use Linux and not FreeBSD ;)

> I'm not exactly sure what you mean by "hash algorithm armor".  RSA in
> OpenPGP does have a additional protection (usually called a "hash firewall")
> that DSA lacks.  This gives some protection against hash substitution
> attacks, but it's not a major deal either way.

Yeah,.. that's the issue I've meant...

> It's true that NIST's guidelines say that to truly get the maximum juice out
> of a 512-bit hash, you should use a 15360-bit key, but that doesn't mean you
> must.  That overall strength of the system is the weakest point, so as long
> as that weakest point is strong enough, you're fine.

*still cannot believe, that I've remembered the exact number :-O *


More information about the Gnupg-users mailing list