On Saturday 02 May 2009 15:45:11 David Shaw wrote: > On May 2, 2009, at 6:25 AM, Simon Ruderich wrote: > > I would like to use a different hash than SHA-1. I tried setting > > personal-digest-preferences SHA256 in my gpg.conf but it didn't > > work. What hash can I use with my key (default DSA/Elgamel key) > > and how? > > The short answer is that you can only use a 160-bit hash with your > default DSA key. That means SHA-1 or RIPEMD/160. There is a feature > you can enable (--enable-dsa2) that will allow you to use a bigger > hash -- but you can still only use 160 bits worth of it. So if you > use SHA-256, you're actually only taking 160 bits worth of it and > discarding the rest. > > To truly use all of a larger hash, you need to either use a RSA key or > a large (not default) DSA key (i.e. generated with --enable-dsa2 > switched on, and a larger size than 1024 bits selected).
SHA256 is included in the default pref list even for a regular DSA key. Is that because my own key is not involved when verifying a signature, and gnupg could verify a SHA256 hash created by someone with a RSA or DSA2 key? Is it therefore reasonable to have SHA256 in first place of the key preferences, even for a regular DSA key? Raimar
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
