On 12/12/2010 10:23 AM, Daniel Kahn Gillmor wrote: > What part of OpenPGP certificates require SHA-1?
... At first blush, V4 certificate checksums, symmetrically encrypted integrity protected data packets, the MDC system in general, certificate fingerprints, etc. I just grepped through the RFC looking for any hardcoded SHA-1; David is probably a much better reference than I am on this. Probably the most annoying -- to me, at least -- is the fingerprint requirement. If a preimage collision is discovered in SHA-1 then it's all over. I can take your signature on my enemy's key, graft it onto my own impersonator of my enemy's key, and then get others to believe it.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
