Best Practices

Robert J. Hansen rjh at
Mon Dec 13 00:52:47 CET 2010

On 12/12/2010 6:37 PM, Daniel Kahn Gillmor wrote:
> We can (and some of us do) use OpenPGP certificates and exchange
> encrypted and signed material without relying on SHA-1 already.

Not so long as you're looking up key IDs by fragments of SHA-1 hashes,
you're not.

> Again, the entire reason i'm engaging in this thread is to encourage
> people to move to stronger cryptographic algorithms *today*.

That's not the point of this thread.  In fact, as near as I can tell
that's *never* been the point of this thread.  The original poster
wanted to create an entirely new certificate in order to migrate, and my
advice to him was that if he wanted to create an entirely new
certificate that he should wait until the next revision, otherwise he'd
likely be doing another new certificate in a year or two.

I have *never* claimed that we shouldn't move away from SHA-1.  Heck, I
was even the one who told the original poster to use enable-dsa2 in
order to get access to the stronger hash algorithms.

I maintain my original point: if you're thinking of creating an entirely
new certificate just in order to get access to better hash algorithms,
then you are best off waiting for the new revision: otherwise, use the
existing technologies.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5598 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20101212/84ec5ce9/attachment-0001.bin>

More information about the Gnupg-users mailing list