On Thu, Apr 07, 2011 at 10:26:10AM -0700, Jonathan McDowell wrote: > It's not entirely accurate. The point of those lines are to ensure that > older (certainly lenny and earlier, I'm not sure when the default > changed) versions of GnuPG don't use SHA1 when signing keys (either your > own or others).
From looking at the source code, it seems that the default digest algorithm for signing both data and keys is still SHA-1. There is some special code to handle DSA keys with the size of q > 160 bits, since SHA-1 wouldn't work in those cases. This makes sense since it is the must-implement hash algorithm. So setting these preferences is still recommended for current use. While these preferences do affect key signatures, they also affect other uses as well—uses where SHA-1 is still a bad choice. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature
