Am Do., 22. Sept. 2022 um 12:14 Uhr schrieb Justus Winter
<jus...@sequoia-pgp.org>:
>
> Michael J Gruber <michaeljgruber+grubix+...@gmail.com> writes:
>
> > Am Do., 22. Sept. 2022 um 10:47 Uhr schrieb Justus Winter
> > <jus...@sequoia-pgp.org>:
> >>
> >> This replaces the old OpenPGPv4 key that is used in the test suite
> >> with a more modern OpenPGPv4 key.  All cryptographic artifacts in the
> >
> > Both v4? Only one key file is named v4.
>
> Yes, the old key was also a v4 key.  In this context, OpenPGP v4 was
> standardized in 1998.  So when the old key was created, v4 was and has
> been for a long time *the* version of OpenPGP.  It didn't seem to make
> sense to specify the version.
>
> Now, v5 is around the corner, so it makes sense to make the version
> explicit.  That'll help when we introduce v5 artifacts.
>
> >> @@ -6,7 +6,7 @@ Message-ID: <simple-signed-m...@crypto.notmuchmail.org>
> >>  MIME-Version: 1.0
> >>  Content-Type: multipart/signed; boundary="=-=-=";
> >>   protocol="application/pgp-signature";
> >> - micalg=pgp-sha512
> >> + micalg=pgp-sha256
> >
> > You are downgrading the hash algo here and in the other regenerated
> > signatures. This is not wrong per-se, I'm just wondering whether it is
> > intentional (or forced by the standard) when the aim of this series is
> > future-proofing. sha256 is the current "replacement" for sha1, which
> > means it's the one which will be replaced next ;)
>
> Yes I am.  It happened when I re-created the signature.  Recreating the
> artifacts was somewhat tedious (I'm working on tooling for that, but the
> changes to notmuch I created by hand), so I opted for the easiest fix.
>
> WRT future proofing: SHA256 is the only mandatory to implement hash
> algorithm in v5 OpenPGP.  Therefore, when SHA256 falls, we will
> hopefully have specified v6 OpenPGP which moved to a new MTI hash
> algorithm.  So, for a v4 OpenPGP artifact, SHA256 is and will forever be
> more than appropriate.
>
> Best,
> Justus

Thanks for clarifying, sounds good to me!

Michael
_______________________________________________
notmuch mailing list -- notmuch@notmuchmail.org
To unsubscribe send an email to notmuch-le...@notmuchmail.org

Reply via email to