riseup.net OpenPGP Best Practices article
Gabriel Niebler
gabriel.niebler at gmail.com
Tue Jun 24 13:28:16 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Am 24.06.2014 09:36, schrieb Cpp:
> I was going to create a new PGP key myself by following that
> article. Werner, do you have any more input or comments to add
> regarding that article? I am curious to hear input from multiple
> sources/people.
I consider myself quite the amateur (I haven't even read most of RFC
4880 yet), but I do take issue with one point in the riseup.net Best
Practices page, namely the bit where it says "self-signatures must not
use SHA1".
I find that statement too strong.
AFAICS this will lead to keys which may not be understood by some
perfectly standards-compliant OpenPGP implementations, since SHA-1 is
the _only_ hashing algorithm that MUST be supported by all
implementations of that standard. Everything else is up to the
implementer.
I do not know that there are any such implementations out there, but
there seem to be a lot of people "rolling their own" who occasionally
post to this very list.
Possibly breaking OpenPGP compatibility does not seem like a Best
Practice to me. I raised this concern in a comment on the _original_
page at https://we.riseup.net/riseuplabs+paow/openpgp-best-practices
but it didn't garner any interest.
I believe additional self-signatures can always be added to existing
UIDs and subkeys later and I presume (someone correct me, if I'm
wrong, please) they can use other hashing algos. That might be a way
to get "the best of both worlds": Not breaking standards compliant
clients (which would hopefully just ignore the selfsigs they can't
understand and focus on those they can) AND strong hashing.
Maybe other people can weigh in on this, notably those involved with
that document. I would be especially interested to hear dkg's opinion.
Cheers
gabe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBCgAGBQJTqWDJAAoJEO7XEikU4kSzTHwH/RDpwO5DI71kEMm5MwgH05yi
lO91dlfO8RZygbHZGGN0TaxckqG2OgwXB6ItBZkJumjlXpU5rP6Z4UmrHbUyTTmp
KZYqv98UFLunZ9W784gel1fbI3pCycTs+yaODanHFIsGOapqiW14DnWhJVLFY6Zj
M+SuIz9t+x9f15x1jdhUGz8FlKp5+3ptYapMNaFgeruUPNHCD6lRIdFGjSc1MV7r
PLC7s9yWpOBVmw0n5vlkL5uiRRryrTYkuU3/66sOgtSzCT9EEyAmFkSp6P0sztcl
CitahspXrCiT8KHxd9w8gsOHSKwGT+EY4g9UFUciC1ED0F9HP55hcJSsfL1U/oU=
=gMvc
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list