Confusion with signature digest type.

Pete Stephenson pete at
Fri Apr 26 12:51:35 CEST 2013

On 4/26/2013 5:47 AM, Robert J. Hansen wrote:
> For my own lookout, I don't see that this practice would give me very
> much.  If SHA-1 falls victim to preimage attacks then I'm completely
> screwed anyway on a few dozen fronts simultaneously, and my certificate
> is the least of my worries.
> If I wake up in the middle of the night and discover my house is on fire
> I'm not going to care very much about whether I forgot to turn off the
> coffeepot.  A preimage attack on SHA-1 is my house being on fire:
> avoiding SHA-1 for self-signatures is making sure to turn off the coffeepot.
> I suspect that quite a lot of us are in that same boat.

Indeed. SHA-1 is used pretty much everywhere. If preimage attacks for
SHA-1 become practical a *lot* of stuff will be affected.

That said, it certainly isn't a bad idea to being gracefully
transitioning away from SHA-1.

For existing keys it's probably not a major issue (there's still a *ton*
of 1024-bit DSA keys with SHA-1 in the wild), but it'd probably make
sense for new keys to be generated with stronger defaults (e.g. SHA-256
or higher and, once implemented, SHA-3) and to also use those stronger
hash algorithms for things like certifying keys.


More information about the Gnupg-users mailing list