Best Practices

Robert J. Hansen rjh at
Sat Dec 11 17:24:46 CET 2010

On 12/10/2010 9:16 PM, David Tomaschik wrote:
> Are there any disadvantages to distinct signature & encryption keys?

None that I've found.

> Is the weakness in the hash used to sign the key internally, or just when
> it is used to sign data?  I guess that's the part that eludes me.

Err -- "yes."

A certificate is just a block of key material plus some associated data.
 SHA-1 is used internally by the certificate to sign some parts of the
data, as well as for computing a key fingerprint.  You can to some
extent mitigate how much SHA-1 gets used, but you can't remove it

You can also choose to use SHA-1 to sign messages and files.  Here, you
can remove it completely in favor of some other hash algorithm.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5598 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20101211/07926e27/attachment-0001.bin>

More information about the Gnupg-users mailing list