On the advisability of stronger digests than SHA-1 in OpenPGP certifications

[Johannes Zarl]

On Friday 27 June 2014 19:35:12 Robert J. Hansen wrote:
> On 6/27/2014 6:31 PM, Johannes Zarl wrote:
> > 1. legacy PGP implementations in closed corporate environments
> 
> Be careful about that phrase "legacy."  Too often it's used as a slur.
> It's more accurate to say, "PGP installations in corporate
> environments."  There's no reason to think these installations are
> closed, or that the IT departments are being unreasonable.

I do not think of "legacy" as a slur, but as a descriptive term.

Yes, it can have a negative connotation, but that largely depends on who you 
ask: the person using a legacy application that pre-dates the internet and 
holds 30+ years of distilled business-knowledge might have a vastly different 
take on the term "legacy" than the person who's task it is to couple a webshop 
with worldwide shipping to a database that uses 7-bit fixed length database 
fields.


To me there is a simple "legacy" test: If X could sensibly used for a newly 
developed project that runs for at least the next 5 years, then it is not a 
legacy system; otherwise it is.

Nobody (at least I assume nobody) goes around exclaiming: "PGP 8 is just the 
tool that we want to base our future projects on."