why is SHA1 used? How do I get SHA256 to be used?
Werner Koch
wk at gnupg.org
Wed Jul 11 12:25:13 CEST 2012
On Wed, 11 Jul 2012 07:56, rjh at sixdemonbag.org said:
> V5 discussions will not kick off in earnest until NIST announces the new
> hash standard, or so I've heard people from the working group say.
And even then it will take 5 years or so until it it has been deployed
widely. Even GnuPG 1.2 is still in use; despite that it has been
declared EOL ages ago.
The fingerprint and the special features building upon it
(e.g. revocation keys) are targets for an attack based on a SHA-1
*pre-image* attack. We need to analyze the possible problems and if
needed deploy workarounds for them. SHA-256 for signatures is already
in widespread use - thus I don't see a problem right now.
The real problem I see for GnuPG is that its maintenance is heavily
under-financed and the pool of volunteers, taking care of it, is quite
small. I am not sure whether PGP is in a better position; giving its
current owner.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list