[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Updating GPG howto (http://keyring.debian.org/creating-key.html)

On Thu, Apr 07, 2011 at 10:26:10AM -0700, Jonathan McDowell wrote:
> It's not entirely accurate. The point of those lines are to ensure that
> older (certainly lenny and earlier, I'm not sure when the default
> changed) versions of GnuPG don't use SHA1 when signing keys (either your
> own or others).

From looking at the source code, it seems that the default digest
algorithm for signing both data and keys is still SHA-1.  There is some
special code to handle DSA keys with the size of q > 160 bits, since
SHA-1 wouldn't work in those cases.  This makes sense since it is the
must-implement hash algorithm.  So setting these preferences is still
recommended for current use.  While these preferences do affect key
signatures, they also affect other uses as well—uses where SHA-1 is
still a bad choice.

brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Attachment: signature.asc
Description: Digital signature

Reply to: