On the advisability of stronger digests than SHA-1 in OpenPGP certifications

[Peter Lebbing]

On 27/06/14 15:54, shmick at riseup.net wrote:
> why *wouldn't* you use it ?

I think it's possible a good portion of these users have custom-written software
that's integrated into a larger system, which uses PGP. So even though GnuPG is
free to use, they'd still have to contract some software development company to
integrate it into their custom software.

I'm purely speculating, however, it doesn't seem an unreasonable case where it's
not just obtuse "I don't like change".

Plus, you still need to pay your system administrator or similar to deploy all
the changes, and the lost productivity of your employees while they get used to
the new system.

And this not because management wanted it, but because people on a mailing list
thought this would really be the best for you. Never mind that in the current
economy you're worrying whether you can afford to keep that young father or
mother employed and keep your business running. Fire that guy/gal, and get
yourself some SHA-256. Okay, now I'm getting a bit carried away ;). If you
didn't like this last bit, here's the start: ^H^H^H^H^H

I however have no clue what you expose yourself to when you still use PGP 8.x.
It could be possible that these guys take irresponsible risks, I don't know.

HT^H,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>