1.3.6 cert signatures

David Shaw dshaw at jabberwocky.com
Sat Jul 24 14:06:01 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, Jul 24, 2004 at 12:00:04AM -0400, Atom 'Smasher' wrote:
> On Fri, 23 Jul 2004, David Shaw wrote:
> > On Fri, Jul 23, 2004 at 05:50:41PM -0400, Atom 'Smasher' wrote:
> 
> >> should "personal-digest-preferences" affect cert signatures?
> >>
> >> or is that too broad an interpretation of the intent?
> >
> > Yes.  Changing the digest for cert signatures is something that GnuPG
> > supports for protocol completeness, but it's one of those things that
> > you should never do unless you really, really know what you are doing.
> > And even then you probably shouldn't do it.
> ====================
> 
> what problems should i expect if i use SHA-256 on keybinding and cert 
> signatures? (aside from the obvious, that some older implementations won't 
> be able to handle it)

It's the obvious, but it's more than that.  It's also a lot more than
"some older implementations".  There are vastly more installations of
PGP and GnuPG that cannot understand SHA-256 than there are that can
understand SHA-256.

OpenPGP has a (partially deserved) reputation for being fiddly and
difficult to get to work and rife with incompatibilities.  Every
additional key out there that prevents, rather than helps,
communication just adds to this reputation, and becomes one more
barrier to people using it.  It's a community good to have keys that
everyone can use.

In immediate terms, even some encryption fans aren't likely to upgrade
just so they can use your key - they'll send in cleartext, which
pretty much defeats the purpose of you having a key.  Rather than gain
additional security, you've actually lowered it to zero.  New users,
or people who are just playing around with OpenPGP are going to be
utterly baffled by your key, and have one more reason to give
encryption up as too confusing for them.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6-cvs (GNU/Linux)

iGoEARECACoFAkECUKkjGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2tleS5h
c2MACgkQ4mZch0nhy8mEgwCdG5wk8MSbzu+eUe4uidFuIyomBBAAn0+ECuvvzecs
It3b5zWaZqjeMtAD
=SNGw
-----END PGP SIGNATURE-----



More information about the Gnupg-devel mailing list