On the advisability of stronger digests than SHA-1 in OpenPGP certifications [was: Re: riseup.net OpenPGP Best Practices article]

[Kristian Fiskerstrand]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 06/27/2014 03:54 PM, shmick at riseup.net wrote:
> 
> 
> Robert J. Hansen:
>> On 6/26/2014 5:57 PM, Daniel Kahn Gillmor wrote:
>>> PGP 8 was released over a decade ago, that's hardly a modern 
>>> implementation:
>> 
>> And yet, it still conforms (largely) to RFC4880.  Methinks
>> you're objecting because it's a largely-conforming implementation
>> that doesn't have good support for SHA256.  ;)
>> 
>>> In what ways is its support for SHA-256 limited?  I'm having a
>>> hard time finding documentation for it.
>> 
>> If I recall correctly, it can understand SHA-256 but not
>> generate SHA-256.  SHA-256 generation support was added late in
>> the 8.x series, but earlier 8.x releases could understand it.
>> 
>>> How many people use it?
>> 
>> It's not as if there are Nielsen ratings for these things.  All I
>> can do is say that I still regularly encounter it when I talk to
>> people about PGP.  For instance, I know of one law firm that
>> purchased a site license for 8.x and refuses to upgrade, since
>> the more recent editions cost a fortune in per-seat licenses and
>> have very little in the way of new functionality.
> 
> i think the point daniel is making is that there is freely
> available software which is actively maintained and receives
> security updates and is not a decade old
> 
> any modern OS can utilise thunderbird + enigmail as an example
> 
> there's great work done to bring gnupg to windows with gpg4win
> 
> why *wouldn't* you use it ?

You won't convince a corporate IT department in a Law firm (or for
that matter Financial world) about it. They want SLAs and support, and
who knows what custom addons they have for their Outlook setup for
various functions that makes it impractical to switch to Thunderbird
(does it support Exchange these days?)

- -- 
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Aut disce aut discede
Either learn or leave
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJTrYZRAAoJEPw7F94F4TagJ9oP/iLH583l4fsswhnqPx74u5kg
2Z5OaKzHdqbIza7o3mIoUQ0Y5UF06ipDkQT0YnBz6kVKrwdtbfKvETgz7DndYUyu
BfdXHgF0WfMiupdrAz0mqt5nBaD8JCcnwkKkHK5fas1rXHzopzjwp738GPw6gbF2
29QtUFMNYbs/vP7PmKFQStJhVPxYr8w86EbjgAAlM4/q2QPxYUkL3fTTLWLB41ar
hVt1vtRKUXzZP1WM3QGeqlCNHJVL7o3PwyUWGlAGz+HCgucPsfosYZSLAzW7ApLq
1oOlbJyxp5W19O5EQhbb3fN+sovy4tpJjnYYsmXztcLaqZRZO8U+q8GcFAMYJY0T
+AQmJhpCdntYbCGQQJJdty+LlS9YYt07Ei/CIOAPssLowHWVzUplU/ZdtB5jLAue
Tp/9uTHUudZg1OtZXkxYhKTNfTCj8QiGS0wBv1YCGqXe9XUq4xvkHgRaQCa7YDJg
AMfLZxGSJfF35HWs21AP+NbMs24QUY1Med66lq30wJjJt9/FaoHlk7nT9OUU3Eu/
7CEL56wiwHBdrf8jpuqiMoWBa7H4uj6+5+WgKph4ZLWsHaqslkGxp6S4uvUsN7mC
0W2TYK+xzztKhpFq+H0IWe87oxM98svM+rtck1rabRjnjkMZRGH70m6C5Z9PelRc
Bz7nkPUpqiPbU5YISumS
=Fath
-----END PGP SIGNATURE-----