On the advisability of stronger digests than SHA-1 in OpenPGP certifications

David Shaw dshaw at jabberwocky.com
Sun Jun 29 15:50:20 CEST 2014

On Jun 29, 2014, at 6:23 AM, Werner Koch <wk at gnupg.org> wrote:

> On Sat, 28 Jun 2014 15:22, dshaw at jabberwocky.com said:
>> I put a limited workaround in GnuPG at the time - that's why the
>> encryption key is always written to the card after the auth key (so
>> the encryption key would always be the "newest".  Of course, that
> I have noch checked by I assume that this does not work anymore because
> at some point we started to create all keys with the same timestamp.

Ha, sure enough.  Looks like that was quite a few years ago.  I won't guess how many people are still using PGP 8, but if they're out there, they're likely not using it to interoperate with people using smartcards.  Given the lack of bug reports since this change way back in 2009, I'll go out on a limb and wager that the intersection between PGP 8 users, if they still exist, and smartcard users isn't exactly large.


More information about the Gnupg-users mailing list