Best Practices
Robert J. Hansen
rjh at sixdemonbag.org
Sat Dec 11 17:24:46 CET 2010
On 12/10/2010 9:16 PM, David Tomaschik wrote:
> Are there any disadvantages to distinct signature & encryption keys?
None that I've found.
> Is the weakness in the hash used to sign the key internally, or just when
> it is used to sign data? I guess that's the part that eludes me.
Err -- "yes."
A certificate is just a block of key material plus some associated data.
SHA-1 is used internally by the certificate to sign some parts of the
data, as well as for computing a key fingerprint. You can to some
extent mitigate how much SHA-1 gets used, but you can't remove it
completely.
You can also choose to use SHA-1 to sign messages and files. Here, you
can remove it completely in favor of some other hash algorithm.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5598 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20101211/07926e27/attachment-0001.bin>
More information about the Gnupg-users
mailing list