David Shaw schrieb: > No. Preferences, including the digest preferences, are not relevant > here at all. This is a signature *you* are making. The digest > preferences are consulted when someone *else* is making a signature, > and wants to know if you can handle it. How would "someone else" (i.e. his GnuPG application) know that he is signing *for me*? Except, that is, if he is encrypting to me at the same time.
For me, it would appear that consulting the preferences of the signing key is sensible when deciding about the hash function to use in the signature. Of course, given that you create signatures at your own system, looking at personal-hash-preferences is also sensible (although one might have different preferences when using different keys - i.e. to match sizes). What is GnuPG's way to choose a hash function, when no recipient is apparent (e.g., detached signing of software packages) and no preferences are available? Conservatively, I would say SHA-1, it being the only MUST algorithm of the RFC (or did this change with 4880?). But for DSA2, this seems not viable. So, is it the shortest SHA-x for the DSA2 key's size, in this case? cu, Sven _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
