SHA1 depreciation ??

Lou Wynn lewisurn at gmail.com
Fri Jun 30 02:33:32 CEST 2017


On 06/29/2017 02:31 PM, Robert J. Hansen wrote:
>> SHA1 got broken some months ago, but I see no useful move to get rid
>> of using it for even new stuff.
> (a) Not for OpenPGP's uses.  For our uses it's still safe, although we
> recommend moving to other, better, hashes as soon as possible.
>
> (b) It's pretty easy to avoid using SHA-1.  There are still a small
> number of places where it's mandatory, and this will not change until
> the IETF OpenPGP Working Group publishes the v5 key specification.
>
> (c) The IETF OpenPGP WG is working on a new key specification ("v5")
> which completely gets rid of SHA-1.

As for the current version v4, SHA1 is used to compute the fingerprint.
Are there other mandatory places?

Others such as signature hash and password hash do not depend on SHA1.

Do you know any time frame and significant changes of v5 specs?


Thanks,

Lou

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170629/c5e19ad3/attachment-0001.html>


More information about the Gnupg-users mailing list