Default hash

Aaron Toponce aaron.toponce at gmail.com
Thu Feb 24 14:48:49 CET 2011 

On Thu, Feb 24, 2011 at 08:37:50PM +1100, Ben McGinnes wrote:
> On 24/02/11 8:03 PM, Doug Barton wrote:
> > You're using a 1024 bit DSA key, which won't allow for 256 bit
> > hashes.  RIPEMD-160 is the largest you can use, and works well for
> > that kind of key.

Okay. That's understandable. That was why I generated a 2048-bit RSA
subkey, so I could take advantage of the SHA2 algorithms. For some
reason, I was thinking that with the update of GPG, my 1024-bit DSA key
now had access to them.

> Well, he can use SHA256 or SHA512, but like mine it will be truncated
> to 160 bits, as was explained to me on this list a couple of months ago.
> 
> As I recall, I edited the key with setpref to this:
> 
> Cipher: AES256, TWOFISH, CAMELLIA256, AES192, CAMELLIA192, AES,
> CAMELLIA128, 3DES, CAST5, BLOWFISH, IDEA
> Digest: SHA512, SHA384, SHA256, SHA224, RIPEMD160, SHA1, MD5
> Compression: BZIP2, ZLIB, ZIP, Uncompressed
> Features: MDC, Keyserver no-modify
> 
> Then added this to gpg.conf:
> 
> enable-dsa2
> default-preference-list S9 S10 S13 S8 S12 S7 S11 S2 S3 S4 S1 H10 H9 H8
> H11 H3 H2 H1 Z3 Z2 Z1 Z0
> personal-cipher-preferences S9 S10 S13 S8 S12 S7 S11 S2 S3 S4 S1
> personal-digest-preferences H10 H9 H8 H11 H3 H2 H1
> personal-compress-preferences Z3 Z2 Z1 Z0

I wanted to avoid breaking from default, which was the main reason for
my post, but it appears that it's not possible if I want to use the
stronger hashes, which is fine. As long as I know the limitations of my
keys, and don't force preferences when sending encrypted/signed mail to
others, I'm good.

> IDEA is only included because of one or two freaks I know who still
> use it.  Oh and some ancient stuff I encrypted around fifteen years
> ago, but have yet to convert.

Yeah, no interest in IDEA here. :)

Thanks for your help.

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 527 bytes
Desc: Digital signature
URL: </pipermail/attachments/20110224/c967bde4/attachment.pgp>

More information about the Gnupg-users mailing list