Just a little report. I'm still doing some reading up on this stuff on the gpg mailing lists, etc., among other delays. I'm not totally comfortable making a recommendation yet, or even deciding what to do for myself.
Daniel Kahn Gillmor's document is discussed on the GnuPG lists: http://www.debian-administration.org/users/dkg/weblog/48 I gather that there have been discussions about this within Debian, but haven't got to those yet. I don't see anyone really shooting it down, but Robert J. Hansen's document came up out of the discussion: http://secret-alchemy.com/sha1/ DKG and RJH went around on some points. Oddly, there is at least one person on the GnuPG dev list who is against documenting a transition or making recommendations. There are others who support it, especially to clear up bad recommendations out there, but the bad recommendations haven't been pointed out, as far as I've read. There is the question of compatibility with old versions of pgp or old messages, and the related issue of finding mutually acceptable algorithms when dropping sha-1. It would be nice if the GnuPG devs would make some official recommendations for users who want to migrate away from sha-1, but I wouldn't hold my breath. I wonder if OpenPGP key cards influence this? Finally, a Camellia for OpenPGP RFC was just published http://www.imc.org/ietf-openpgp/mail-archive/msg34029.html Please do chime in with pointers to others making and documenting the transition, or the current state of the art, or whatever. -- Anthony Carrico
signature.asc
Description: OpenPGP digital signature
