I have been wondering for a while about the use of sha1 in pgp fingerprints.
Although sha1 may not be easily broken in practise, there are theoreticall collosion attacks that are feasible for well funded organisations. Cryptographers, like Bruce Schneier, have been recommending for years to migrate to a new hash algorithm for all sorts of reasons. New versions of gpg do not use sha1 in any encryption operation if I am not mistaken. But we still use sha1 fingerprints to compare of our keys. The question I have not yet found any clear answer for, is why is nobody talking about this and should pgp keys be identified by a stronger hash alogrithm in the future? _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
