sha1 pgp fingerprint

sivmu sivmu at
Thu Jan 26 00:47:36 CET 2017

I have been wondering for a while about the use of sha1 in pgp fingerprints.

Although sha1 may not be easily broken in practise, there are
theoreticall collosion attacks that are feasible for well funded
Cryptographers, like Bruce Schneier, have been recommending for years to
migrate to a new hash algorithm for all sorts of reasons.

New versions of gpg do not use sha1 in any encryption operation if I am
not mistaken. But we still use sha1 fingerprints to compare of our keys.

The question I have not yet found any clear answer for, is why is nobody
talking about this and should pgp keys be identified by a stronger hash
alogrithm in the future?

More information about the Gnupg-users mailing list