cert-digest-algo clarification
Sam Smith
smickson at hotmail.com
Thu Jul 12 18:04:26 CEST 2012
Thx for this explanation.
Is the "personal-digest-preferences" shown in the public key? Is this preference list something others can see (how do I make it appear in the public key)? If it is not displayed in the public key, I don't understand what good it is or how/where it would get used.
> Date: Thu, 12 Jul 2012 11:52:17 -0400
> From: rjh at sixdemonbag.org
> To: gnupg-users at gnupg.org
> Subject: Re: cert-digest-algo clarification
>
> On 7/12/2012 11:39 AM, Sam Smith wrote:
> > Say I want to tell everyone, "Hey, I prefer you use SHA256 when
> > communicating with me." What command should I use to communicate
> > this? "default-preference-list" right?
>
> There's a difference between what you can enforce and what you might be
> able to suggest.
>
> The OpenPGP spec requires that no OpenPGP implementation will ever use
> any algorithm except those that are listed on your certificate as ones
> that your implementation understands. This list of "I can understand
> the following algorithms" can be found by 'gpg --edit-key [keyid] showpref'.
>
> Some OpenPGP implementations, such as GnuPG, will treat that set of
> capabilities as a list of preferences. If your prefs show up as "SHA256
> SHA-1", for instance, an OpenPGP implementation would be forbidden from
> using RIPEMD160, but would be able to use SHA1. GnuPG would likewise be
> forbidden from using RIPEMD160, but would be more likely to use SHA-1
> than SHA256.
>
> GnuPG might still use SHA-1, though! If the sender is using a DSA-1k
> key and does not have --enable-dsa2 active, SHA256 is disallowed for the
> signature, so GnuPG will have to fall back to SHA-1.
>
> The takeaway here is that the capabilities shown on your certificate
> ("gpg --edit-key [keyid] showpref") MAY be used as a preference list,
> are not guaranteed to be used as a preference list, and even if using an
> OpenPGP implementation that treats it as a preference list you may wind
> up getting stuck with SHA-1 anyway.
>
> > So "personal-digest-preferences" overrides this?
>
> No. personal-digest-preferences declares which digest algorithms you
> prefer to use and in which order. The certificate preferences declare
> which algorithms you are *capable* of using (and, for some
> implementations, which algorithms you prefer *other people* to use and
> in which order).
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20120712/a452bc66/attachment.htm>
More information about the Gnupg-users
mailing list