On 10/12/10 1:08 AM, Robert J. Hansen wrote: > On 12/9/2010 1:14 AM, Ben McGinnes wrote: >> I am giving very serious thought to creating new keys and >> doing a (long-term) transition to them. This is partly to respond to >> known flaws with SHA-1 and take advantage of SHA-256 and higher. > > My best counsel is: don't, at least not yet.
Okay.
> First, there are no imminent practical attacks on SHA-1. Second,
> the OpenPGP Working Group ("the WG") is currently figuring out how
> to get SHA-1 out of the OpenPGP spec and how to replace it with
> something better.
Userful to know, can I track the WG's progress through this list or is
that done through the IETF or the OpenPGP site?
> If you do a transition now, it's possible you'll want to transition
> again in six months or a year once the WG updates the RFC.
Urgh, what a hideous thought.
> I'd hold off on this, at least for now.
Well, my current key has been perfectly fine since it's creation
nearly a dozen years ago. I'm still sufficiently sure that there is
no imminent threat, so I'm happy to just watch and wait and see what
the WG says.
Regards,
Ben
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
