On the advisability of stronger digests than SHA-1 in OpenPGP certifications [was: Re: riseup.net OpenPGP Best Practices article]

John Clizbe John at enigmail.net
Fri Jun 27 22:24:51 CEST 2014

Kristian Fiskerstrand wrote:
> On 06/27/2014 03:54 PM, shmick at riseup.net wrote:
>> Robert J. Hansen:
>>> On 6/26/2014 5:57 PM, Daniel Kahn Gillmor wrote:
>>>> PGP 8 was released over a decade ago, that's hardly a modern 
>>>> implementation:
>>> And yet, it still conforms (largely) to RFC4880.  Methinks
>>> you're objecting because it's a largely-conforming implementation
>>> that doesn't have good support for SHA256.  ;)
>>>> In what ways is its support for SHA-256 limited?  I'm having a
>>>> hard time finding documentation for it.
>>> If I recall correctly, it can understand SHA-256 but not
>>> generate SHA-256.  SHA-256 generation support was added late in
>>> the 8.x series, but earlier 8.x releases could understand it.

That is as I remember it, Rob. I don't recall if there was a difference
between 8.0 and 8.1 with respect to SHA-256. JM3 probably would.

>> any modern OS can utilise thunderbird + enigmail as an example

Any? Maybe for the Windows/Linux/Mac case.

>> there's great work done to bring gnupg to windows with gpg4win
>> why *wouldn't* you use it ? 

In the US? Sarbanes-Oxley or any other retention/retrieval laws and
regulations. [see below] Those requirements have a way of spreading
internationally within a corporation or business sector.

> You won't convince a corporate IT department in a Law firm (or for
> that matter Financial world) about it. They want SLAs and support, and
> who knows what custom addons they have for their Outlook setup for
> various functions that makes it impractical to switch to Thunderbird
> (does it support Exchange these days?)

HR, and Compliance/Legal are some other departments that would veto the move.

PGP 8.x has a couple non-RFC extensions that make it quite popular in the
corporate world: ADKs, and X.509 certifications on PGP keys.

The accompanying LDAP-based PGP Keyserver is also often found in this
environment, if they haven't added the keyserver functionality to their
corporate directories.

PGP also had plugins for GroupWise and Notes, in addition to Outlook.


John P. Clizbe                      Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP                  or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

More information about the Gnupg-users mailing list