On the advisability of stronger digests than SHA-1 in OpenPGP certifications [was: Re: riseup.net OpenPGP Best Practices article]

Kristian Fiskerstrand kristian.fiskerstrand at sumptuouscapital.com
Fri Jun 27 16:57:25 CEST 2014

Hash: SHA512

On 06/27/2014 03:54 PM, shmick at riseup.net wrote:
> Robert J. Hansen:
>> On 6/26/2014 5:57 PM, Daniel Kahn Gillmor wrote:
>>> PGP 8 was released over a decade ago, that's hardly a modern 
>>> implementation:
>> And yet, it still conforms (largely) to RFC4880.  Methinks
>> you're objecting because it's a largely-conforming implementation
>> that doesn't have good support for SHA256.  ;)
>>> In what ways is its support for SHA-256 limited?  I'm having a
>>> hard time finding documentation for it.
>> If I recall correctly, it can understand SHA-256 but not
>> generate SHA-256.  SHA-256 generation support was added late in
>> the 8.x series, but earlier 8.x releases could understand it.
>>> How many people use it?
>> It's not as if there are Nielsen ratings for these things.  All I
>> can do is say that I still regularly encounter it when I talk to
>> people about PGP.  For instance, I know of one law firm that
>> purchased a site license for 8.x and refuses to upgrade, since
>> the more recent editions cost a fortune in per-seat licenses and
>> have very little in the way of new functionality.
> i think the point daniel is making is that there is freely
> available software which is actively maintained and receives
> security updates and is not a decade old
> any modern OS can utilise thunderbird + enigmail as an example
> there's great work done to bring gnupg to windows with gpg4win
> why *wouldn't* you use it ?

You won't convince a corporate IT department in a Law firm (or for
that matter Financial world) about it. They want SLAs and support, and
who knows what custom addons they have for their Outlook setup for
various functions that makes it impractical to switch to Thunderbird
(does it support Exchange these days?)

- -- 
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Aut disce aut discede
Either learn or leave


More information about the Gnupg-users mailing list