On the advisability of stronger digests than SHA-1 in OpenPGP certifications
johannes at zarl.at
Sat Jun 28 13:57:57 CEST 2014
On Friday 27 June 2014 19:35:12 Robert J. Hansen wrote:
> On 6/27/2014 6:31 PM, Johannes Zarl wrote:
> > 1. legacy PGP implementations in closed corporate environments
> Be careful about that phrase "legacy." Too often it's used as a slur.
> It's more accurate to say, "PGP installations in corporate
> environments." There's no reason to think these installations are
> closed, or that the IT departments are being unreasonable.
I do not think of "legacy" as a slur, but as a descriptive term.
Yes, it can have a negative connotation, but that largely depends on who you
ask: the person using a legacy application that pre-dates the internet and
holds 30+ years of distilled business-knowledge might have a vastly different
take on the term "legacy" than the person who's task it is to couple a webshop
with worldwide shipping to a database that uses 7-bit fixed length database
To me there is a simple "legacy" test: If X could sensibly used for a newly
developed project that runs for at least the next 5 years, then it is not a
legacy system; otherwise it is.
Nobody (at least I assume nobody) goes around exclaiming: "PGP 8 is just the
tool that we want to base our future projects on."
More information about the Gnupg-users