Avoid recipient-compatibility SHA1

Ernst G Giessmann giessman at informatik.hu-berlin.de
Tue Nov 17 17:37:38 CET 2020

The answer to the second question is:

A SHA-1 collision of two documents D1 and D2 means that the hash values
Hash(D1) and Hash(D2) are equal, which in turn means that (regardless
who signs) any signature of D1 (be it OpenPGP or SMIME) can also be used
as a signature of D2. Any signer and any key, if used with SHA-1!

So if you got a harmless document D to sign, you must be sure that there
is no evil twin of it. This is usually the case if you are the author of
D, because the construction of an evil twin remains hard. But it is easy
to construct docs with the same hash value.


Am 2020-11-17 um 16:47 schrieb Stefan Claas via Gnupg-users:
> ...
> Second question:
> What does it really mean for the OpenPGP ecosystem if there would be a
> SHA1 collision found in an email or detached signed document or file?
> I ask, because when one checks a GnuPG
> digitally signed message or file it usually says it comes from the key
> (owner) blah and this key has a fingerprint of blah if one checks.
> Regards
> Stefan
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

More information about the Gnupg-users mailing list