On the advisability of stronger digests than SHA-1 in OpenPGP certifications [was: Re: riseup.net OpenPGP Best Practices article]
shmick at riseup.net
shmick at riseup.net
Fri Jun 27 15:54:51 CEST 2014
Robert J. Hansen:
> On 6/26/2014 5:57 PM, Daniel Kahn Gillmor wrote:
>> PGP 8 was released over a decade ago, that's hardly a modern
> And yet, it still conforms (largely) to RFC4880. Methinks you're
> objecting because it's a largely-conforming implementation that doesn't
> have good support for SHA256. ;)
>> In what ways is its support for SHA-256 limited? I'm having a hard
>> time finding documentation for it.
> If I recall correctly, it can understand SHA-256 but not generate
> SHA-256. SHA-256 generation support was added late in the 8.x series,
> but earlier 8.x releases could understand it.
>> How many people use it?
> It's not as if there are Nielsen ratings for these things. All I can do
> is say that I still regularly encounter it when I talk to people about
> PGP. For instance, I know of one law firm that purchased a site license
> for 8.x and refuses to upgrade, since the more recent editions cost a
> fortune in per-seat licenses and have very little in the way of new
i think the point daniel is making is that there is freely available
software which is actively maintained and receives security updates and
is not a decade old
any modern OS can utilise thunderbird + enigmail as an example
there's great work done to bring gnupg to windows with gpg4win
why *wouldn't* you use it ?
is it really a case of obdurateness, "if it ain't broke don't fix it,"
or an unwillingness to use and get accustomed to something new and/or
different, perhaps a new gui - look, i completely sympathise with the
latter especially for older people if i may generalise
if you're a windows user you'll have to upgrade after 10 years if you
want to keep safe or pay ($) for it; ok, now i sympathise with people
not wanting a new gui with windows 8
>> Why should anyone cater to users of PGP 8.x in 2014 when we have an
>> opportunity to provide a stronger cryptographic baseline for everyone
> Because there are still people using it.
the don't *have* to but, sure, they *can*
> Remember, GnuPG also supports most of RFC1991 because we've got a large
> base of PGP 2.6 users who are refusing to upgrade...
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
More information about the Gnupg-users