Re-sign subkey binding with changed digest?
Werner Koch
wk at gnupg.org
Thu Jan 9 12:56:42 CET 2020
On Wed, 8 Jan 2020 21:37, Andrew Gallagher said:
> Have you tried changing the subkey expiry? Or does that reuse the same hash?
That is what I would also suggest. The expire sub-command is useful for
all such things. It should always use the current default digest
algorithms.
Regarding the SHA-1 collisions: GnuPG 2.2 still considers SHA-1 based
self-signatures (either on a user-id or a subkey) has valid. If we
would disallow that all dsa1024 keys would be rendered useless. dsa1024
requires SHA-1. Compared to the trouble we already had with removing
PGP-2 keys, removing dsa1024 would be a much loader outcry.
Nevertheless, moving away from dsa1024 is important. We just can't
force users to do that.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20200109/f257cd92/attachment.sig>
More information about the Gnupg-users
mailing list