On 12/09/2010 09:08 AM, Robert J. Hansen wrote: > On 12/9/2010 1:14 AM, Ben McGinnes wrote: >> I am giving very serious thought to creating new keys and >> doing a (long-term) transition to them. This is partly to respond to >> known flaws with SHA-1 and take advantage of SHA-256 and higher. > > My best counsel is: don't, at least not yet.
Sorry, but i have to disagree with Robert on this (yes, i'm the author
of the blog post you linked to earlier). If you want to switch to
stronger algorithms, now is a reasonable time to do it.
> First, there are no imminent practical attacks on SHA-1.
That we know of, anyway. Nonetheless, its use for digital signatures
has been strongly deprecated by groups like NIST. See [0] for links to
NIST recommendations.
> Second, the
> OpenPGP Working Group ("the WG") is currently figuring out how to get
> SHA-1 out of the OpenPGP spec and how to replace it with something better.
This discussion currently seems to be idle, so i would not wait on it.
We need to get the discussion going again, certainly.
> If you do a transition now, it's possible you'll want to transition
> again in six months or a year once the WG updates the RFC.
This statement seems to assume that the RFC can't or won't be updated in
a way that people could make the transition using the same key material,
assuming they were using strong enough keys and digests in the first place.
My own personal bottom line: i've been using digests from the SHA-2
family for well over a year now (and larger RSA keys for twice that
time) and have had no interoperability problems.
--dkg
[0]
http://securitymusings.com/article/1587/algorithm-and-key-length-deprecation
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
