Security doubts on 3DES default

[Robert J. Hansen]

>> Again, required per the spec, and this can be
>> prevented by having one person
>> on the list use a DSA-2048/-3072 key, which forbids
>> SHA-1 usage.
> 
> Really? many of the messages to the PGPNET discussion group [0] have
> SHA-1 signatures. Messages are signed and encrypted to about 30 keys,
> one of which is DSA-2048. Showpref on that DSA-2048 key gives
> Digest: SHA1, SHA256, RIPEMD160.

I was speaking a bit too glibly; I'm sorry about that.

If I'm sending to 30 people it's quite likely I'll wind up using CAST or
3DES, since that's the lowest common denominator.  Cipher preferences
have a complex find-the-best-option algorithm that finds what all
recipients can use, then chooses one from among them -- so finding a
"common denominator" of algorithms is important.

But lowest common denominator for signatures is ... it's uncommon to
encounter such a situation; in fact, in 25 years of using PGP I don't
think I've ever encountered it.  If I sign a message with TIGER192 and
you can't verify it, tough luck.  Given this, I don't know how you'd
come up with a real-world case where you'd need a common hash algorithm
set for signing purposes.

But if there were such a case where there was a lowest common
denominator hash algorithm, DSA-2048 requires a 224-bit hash (and -3072
requires 256), so inclusion of either of those would preclude any
160-bit hash being used; they could not appear in a common algorithm set.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170313/d71f5998/attachment.sig>