On Wed, 11 Jul 2012 07:56, [email protected] said: > V5 discussions will not kick off in earnest until NIST announces the new > hash standard, or so I've heard people from the working group say.
And even then it will take 5 years or so until it it has been deployed widely. Even GnuPG 1.2 is still in use; despite that it has been declared EOL ages ago. The fingerprint and the special features building upon it (e.g. revocation keys) are targets for an attack based on a SHA-1 *pre-image* attack. We need to analyze the possible problems and if needed deploy workarounds for them. SHA-256 for signatures is already in widespread use - thus I don't see a problem right now. The real problem I see for GnuPG is that its maintenance is heavily under-financed and the pool of volunteers, taking care of it, is quite small. I am not sure whether PGP is in a better position; giving its current owner. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
