cert-digest-algo clarification

Sam Smith smickson at hotmail.com
Thu Jul 12 18:04:26 CEST 2012


Thx for this explanation.

Is the "personal-digest-preferences" shown in the public key? Is this preference list something others can see (how do I make it appear in the public key)? If it is not displayed in the public key, I don't understand what good it is or how/where it would get used.



> Date: Thu, 12 Jul 2012 11:52:17 -0400
> From: rjh at sixdemonbag.org
> To: gnupg-users at gnupg.org
> Subject: Re: cert-digest-algo clarification
> 
> On 7/12/2012 11:39 AM, Sam Smith wrote:
> > Say I want to tell everyone, "Hey, I prefer you use SHA256 when 
> > communicating with me." What command should I use to communicate
> > this? "default-preference-list" right?
> 
> There's a difference between what you can enforce and what you might be
> able to suggest.
> 
> The OpenPGP spec requires that no OpenPGP implementation will ever use
> any algorithm except those that are listed on your certificate as ones
> that your implementation understands.  This list of "I can understand
> the following algorithms" can be found by 'gpg --edit-key [keyid] showpref'.
> 
> Some OpenPGP implementations, such as GnuPG, will treat that set of
> capabilities as a list of preferences.  If your prefs show up as "SHA256
> SHA-1", for instance, an OpenPGP implementation would be forbidden from
> using RIPEMD160, but would be able to use SHA1.  GnuPG would likewise be
> forbidden from using RIPEMD160, but would be more likely to use SHA-1
> than SHA256.
> 
> GnuPG might still use SHA-1, though!  If the sender is using a DSA-1k
> key and does not have --enable-dsa2 active, SHA256 is disallowed for the
> signature, so GnuPG will have to fall back to SHA-1.
> 
> The takeaway here is that the capabilities shown on your certificate
> ("gpg --edit-key [keyid] showpref") MAY be used as a preference list,
> are not guaranteed to be used as a preference list, and even if using an
> OpenPGP implementation that treats it as a preference list you may wind
> up getting stuck with SHA-1 anyway.
> 
> > So "personal-digest-preferences" overrides this?
> 
> No.  personal-digest-preferences declares which digest algorithms you
> prefer to use and in which order.  The certificate preferences declare
> which algorithms you are *capable* of using (and, for some
> implementations, which algorithms you prefer *other people* to use and
> in which order).
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20120712/a452bc66/attachment.htm>


More information about the Gnupg-users mailing list