On 4/26/2013 5:47 AM, Robert J. Hansen wrote: > For my own lookout, I don't see that this practice would give me very > much. If SHA-1 falls victim to preimage attacks then I'm completely > screwed anyway on a few dozen fronts simultaneously, and my certificate > is the least of my worries. > > If I wake up in the middle of the night and discover my house is on fire > I'm not going to care very much about whether I forgot to turn off the > coffeepot. A preimage attack on SHA-1 is my house being on fire: > avoiding SHA-1 for self-signatures is making sure to turn off the coffeepot. > > I suspect that quite a lot of us are in that same boat.
Indeed. SHA-1 is used pretty much everywhere. If preimage attacks for SHA-1 become practical a *lot* of stuff will be affected. That said, it certainly isn't a bad idea to being gracefully transitioning away from SHA-1. For existing keys it's probably not a major issue (there's still a *ton* of 1024-bit DSA keys with SHA-1 in the wild), but it'd probably make sense for new keys to be generated with stronger defaults (e.g. SHA-256 or higher and, once implemented, SHA-3) and to also use those stronger hash algorithms for things like certifying keys. Cheers! -Pete _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
