On Sep 15, 2009, at 9:42 AM, Nicholas Cole wrote:
Hi all. This is a query mostly for my own interest, but I think it
might point to a change in the documentation being required.
I was slightly confused by this message
http://lists.gnupg.org/pipermail/gnupg-users/2009-May/036361.html
David suggests (as I read it) that an RSA key created with
--cert-digest-algo sha256 will continue to use sha256 whenever it
signs keys, whereas the documentation implies that you would have to
specify --cert-digest-algo every time a key is signed.
Perhaps I wasn't clear in that message. You definitely need to
specify --cert-digest-algo every time a key is signed (or put it in
your gpg.conf file).
How does an
RSA key choose a hash algorithm for this purpose?
For RSA, the rules are: if cert-digest-algo is set, use it. If you
have a PGP 2.x key making a PGP 2.x signature, use MD5. Otherwise,
use SHA-1.
It might also be worth noting that (if I read
http://lists.gnupg.org/pipermail/gnupg-users/2009-May/036379.html
correctly) this option does not control what DSA2 keys use.
No. It does control what DSA keys use, but you must choose an
algorithm that makes sense for the particular DSA key (for example,
you can't use SHA-1 with a DSA 2048-bit key).
David
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
