On Apr 26, 2013, at 12:18 PM, Mason Loring Bliss <[email protected]> wrote:
> On Thu, Apr 25, 2013 at 11:47:49PM -0400, Robert J. Hansen wrote: > >> A preimage attack on SHA-1 is my house being on fire: avoiding SHA-1 for >> self-signatures is making sure to turn off the coffeepot. > > While I agree with what you're saying, the big difference between this > situation and your example is that it's trivially easy for me to say "use > this digest method instead of this other one" and then forget about it. The > coffee pot will take care of itself. The question becomes invisible to me as > soon as I've set the default, and if the effort is so low to do it, I don't > see any real reason *not* to do it. Security is about nudging up the bar. > > Now, that said, I still don't understand why I was seemingly unable to change > the digest algorithm I'm using for my old key. I'd be grateful if someone > could enlighten me on that point, as I really want to grasp what was > happening. The answer to your question from your original mail is that you're using the "check if SHA-1 is in my preferences" test to instead of the "check if my selfsig is SHA-1" test. The proper test for checking your selfsig from the document you were referencing is: gpg --export-options export-minimal --export <keyid> | gpg --list-packets |grep -A 2 signature|grep 'digest algo 2,' David _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
