Confusion with signature digest type.

Robert J. Hansen rjh at
Fri Apr 26 05:47:49 CEST 2013

On 4/25/2013 9:13 PM, Mason Loring Bliss wrote:
> I've been reading some "best practises" documents, and it was suggested that
> I not use SHA-1 as my self-signature digest algorithm:

Beware of "best practices."  What makes a practice best depends greatly
on the specific threats you face, and unless the author knows your
particular threat model a healthy amount of skepticism is warranted.
Examine each claim critically and ask yourself, "does this practice give
me any real, measurable, quantifiable advantage in the context of my
threat model?"

For my own lookout, I don't see that this practice would give me very
much.  If SHA-1 falls victim to preimage attacks then I'm completely
screwed anyway on a few dozen fronts simultaneously, and my certificate
is the least of my worries.

If I wake up in the middle of the night and discover my house is on fire
I'm not going to care very much about whether I forgot to turn off the
coffeepot.  A preimage attack on SHA-1 is my house being on fire:
avoiding SHA-1 for self-signatures is making sure to turn off the coffeepot.

I suspect that quite a lot of us are in that same boat.

More information about the Gnupg-users mailing list