On Wed, Jul 11, 2012 at 11:25 AM, Werner Koch <[email protected]> wrote: > On Wed, 11 Jul 2012 07:56, [email protected] said: > >> V5 discussions will not kick off in earnest until NIST announces the new >> hash standard, or so I've heard people from the working group say. > > And even then it will take 5 years or so until it it has been deployed > widely. Even GnuPG 1.2 is still in use; despite that it has been > declared EOL ages ago. > > The fingerprint and the special features building upon it > (e.g. revocation keys) are targets for an attack based on a SHA-1 > *pre-image* attack. We need to analyze the possible problems and if > needed deploy workarounds for them. SHA-256 for signatures is already > in widespread use - thus I don't see a problem right now. > > The real problem I see for GnuPG is that its maintenance is heavily > under-financed and the pool of volunteers, taking care of it, is quite > small. I am not sure whether PGP is in a better position; giving its > current owner.
A bleak but realistic assessment. But one thing that might be helpful to explain is this: what needs to be in the V5 key format aside from the change in fingerprint hash? Aside from that issue, the V4 key format seems to have been resilient. What are the other issues that need to be addressed? Nicholas _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
