multiple subkeys and key transition

Daniel Kahn Gillmor dkg at
Thu Dec 9 19:01:39 CET 2010

On 12/09/2010 09:08 AM, Robert J. Hansen wrote:
> On 12/9/2010 1:14 AM, Ben McGinnes wrote:
>>  I am giving very serious thought to creating new keys and
>> doing a (long-term) transition to them.  This is partly to respond to
>> known flaws with SHA-1 and take advantage of SHA-256 and higher.
> My best counsel is: don't, at least not yet.

Sorry, but i have to disagree with Robert on this (yes, i'm the author
of the blog post you linked to earlier).  If you want to switch to
stronger algorithms, now is a reasonable time to do it.

> First, there are no imminent practical attacks on SHA-1.

That we know of, anyway.  Nonetheless, its use for digital signatures
has been strongly deprecated by groups like NIST.  See [0] for links to
NIST recommendations.

> Second, the
> OpenPGP Working Group ("the WG") is currently figuring out how to get
> SHA-1 out of the OpenPGP spec and how to replace it with something better.

This discussion currently seems to be idle, so i would not wait on it.
We need to get the discussion going again, certainly.

> If you do a transition now, it's possible you'll want to transition
> again in six months or a year once the WG updates the RFC.

This statement seems to assume that the RFC can't or won't be updated in
a way that people could make the transition using the same key material,
assuming they were using strong enough keys and digests in the first place.

My own personal bottom line: i've been using digests from the SHA-2
family for well over a year now (and larger RSA keys for twice that
time) and have had no interoperability problems.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101209/c30cc9aa/attachment.pgp>

More information about the Gnupg-users mailing list