On the advisability of stronger digests than SHA-1 in OpenPGP certifications [was: Re: riseup.net OpenPGP Best Practices article]

shmick at riseup.net shmick at riseup.net
Fri Jun 27 15:54:51 CEST 2014 


Robert J. Hansen:
> On 6/26/2014 5:57 PM, Daniel Kahn Gillmor wrote:
>> PGP 8 was released over a decade ago, that's hardly a modern
>> implementation:
> 
> And yet, it still conforms (largely) to RFC4880.  Methinks you're
> objecting because it's a largely-conforming implementation that doesn't
> have good support for SHA256.  ;)
> 
>> In what ways is its support for SHA-256 limited?  I'm having a hard
>> time finding documentation for it.
> 
> If I recall correctly, it can understand SHA-256 but not generate
> SHA-256.  SHA-256 generation support was added late in the 8.x series,
> but earlier 8.x releases could understand it.
> 
>> How many people use it?
> 
> It's not as if there are Nielsen ratings for these things.  All I can do
> is say that I still regularly encounter it when I talk to people about
> PGP.  For instance, I know of one law firm that purchased a site license
> for 8.x and refuses to upgrade, since the more recent editions cost a
> fortune in per-seat licenses and have very little in the way of new
> functionality.

i think the point daniel is making is that there is freely available
software which is actively maintained and receives security updates and
is not a decade old

any modern OS can utilise thunderbird + enigmail as an example

there's great work done to bring gnupg to windows with gpg4win

why *wouldn't* you use it ?

is it really a case of obdurateness, "if it ain't broke don't fix it,"
or an unwillingness to use and get accustomed to something new and/or
different, perhaps a new gui - look, i completely sympathise with the
latter especially for older people if i may generalise

if you're a windows user you'll have to upgrade after 10 years if you
want to keep safe or pay ($) for it; ok, now i sympathise with people
not wanting a new gui with windows 8

> 
>> Why should anyone cater to users of PGP 8.x in 2014 when we have an 
>> opportunity to provide a stronger cryptographic baseline for everyone
>> else?
> 
> Because there are still people using it.

see above
the don't *have* to but, sure, they *can*

> 
> Remember, GnuPG also supports most of RFC1991 because we've got a large
> base of PGP 2.6 users who are refusing to upgrade...
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

More information about the Gnupg-users mailing list