Hash algo for signing - documentation
David Shaw
dshaw at jabberwocky.com
Tue Sep 15 19:12:23 CEST 2009
On Sep 15, 2009, at 9:42 AM, Nicholas Cole wrote:
> Hi all. This is a query mostly for my own interest, but I think it
> might point to a change in the documentation being required.
>
> I was slightly confused by this message
>
> http://lists.gnupg.org/pipermail/gnupg-users/2009-May/036361.html
>
> David suggests (as I read it) that an RSA key created with
> --cert-digest-algo sha256 will continue to use sha256 whenever it
> signs keys, whereas the documentation implies that you would have to
> specify --cert-digest-algo every time a key is signed.
Perhaps I wasn't clear in that message. You definitely need to
specify --cert-digest-algo every time a key is signed (or put it in
your gpg.conf file).
> How does an
> RSA key choose a hash algorithm for this purpose?
For RSA, the rules are: if cert-digest-algo is set, use it. If you
have a PGP 2.x key making a PGP 2.x signature, use MD5. Otherwise,
use SHA-1.
> It might also be worth noting that (if I read
> http://lists.gnupg.org/pipermail/gnupg-users/2009-May/036379.html
> correctly) this option does not control what DSA2 keys use.
No. It does control what DSA keys use, but you must choose an
algorithm that makes sense for the particular DSA key (for example,
you can't use SHA-1 with a DSA 2048-bit key).
David
More information about the Gnupg-users
mailing list