Best Practices
Robert J. Hansen
rjh at sixdemonbag.org
Sun Dec 12 17:21:13 CET 2010
On 12/12/2010 10:23 AM, Daniel Kahn Gillmor wrote:
> What part of OpenPGP certificates require SHA-1?
... At first blush, V4 certificate checksums, symmetrically encrypted
integrity protected data packets, the MDC system in general, certificate
fingerprints, etc. I just grepped through the RFC looking for any
hardcoded SHA-1; David is probably a much better reference than I am on
this.
Probably the most annoying -- to me, at least -- is the fingerprint
requirement. If a preimage collision is discovered in SHA-1 then it's
all over. I can take your signature on my enemy's key, graft it onto my
own impersonator of my enemy's key, and then get others to believe it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5598 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20101212/a166001c/attachment.bin>
More information about the Gnupg-users
mailing list