Re: Selection of digest algorithm
On Thu, 29 Jan 2009 00:50, ds...@jabberwocky.com said: Yes. Or at least the current one is. There is a new version of the spec that allows for more hashes, but I don't believe there is a The problem is that card checks that the correct padding, inclusive the OID of the hash is used and thus rejects other hashs than implemented. OpenPGP cards specs 2 are not that restrictive anymore and merely check that there is enough padding. Thus any hash usable with the key size is allowed. We expect fist samples of the card next month. If we are lucky production may start in late spring. The card or better the chip used with the card will also be used by the German health card project (50 million cards or so) and that stupid project is very much delayed - thus the delays with card production. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Selection of digest algorithm
Sven Radde wrote: So it would appear that Evolution uses RFC 2015, skipping the obsolete MD5. No. Jeff Anderson, Evolution's main GnuPG author, told me directly they supported RFC3156. He went on at great length about how inline traffic is stupid and it isn't RFC-approved for email use, and how RFC3156 was the One True Way regardless of what people wanted. So yeah, taking Jeff at his word, he implemented RFC3156. He's just artificially restricting which hash algorithms can be used, which has the added side effect of completely breaking Evolution for DSA2 keys. Evolution cannot sign messages with a DSA2 key -- or at least, I've never found a way to do it short of going in and hacking up the source code. I do not think very highly of Evolution's OpenPGP support. Is there a GnuPG setting to find out more about the exact calls that Evolution does? I found out just by writing a tiny shellscript wrapper which echoed the arguments given to GnuPG. As I said, other parts of gpg.conf are honored These would be the parts they're not setting on the command line. Is there some kind of recommended email application when it comes to GnuPG support? Or, put differently, which ones are known for good integration? At last year's USENIX, in a panel discussion, Dan Wallach of Rice declared Enigmail the best thing going in terms of OpenPGP integration. That's high praise coming from a very well-respected guy in computer security. This was said as part of a sidebar he made about the difficulty in getting 30+ Ph.Ds in computer science to all use PGP for a particular mailing list. Some were using Evolution, some were using ancient PGP, some were using modern PGP, some were using plugins, others were CPing into a Microsoft Word document then using some weird Word PGP plugin, some were using Enigmail, etc. He capped it off with an exasperated sigh, then recommended Enigmail to people who needed OpenPGP integration, as Enigmail gave the least troubles. I have used Enigmail in the past but I was under the impression that its integration was hampered by limitations of Thunderbird's plugin API. It is. But it's not /severely/ hampered. E.g., address book integration doesn't work because the address book internals are such a maze of twisty little passages, all alike. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Selection of digest algorithm
Sven Radde wrote: First, when sending a signed email from Evolution, SHA1 seems to be chosen, no matter what personal-digest-preferences or even digest-algo is set in the gpg.conf file (other parts of gpg.conf are honored, however). Is this a limitation of the PGP/MIME standard that Evolution uses? Evolution's GnuPG support is in many ways broken, FYI. I have repeatedly had troubles with it misreporting inline signed messages as having bad signatures, misreporting inline signed and encrypted messages as being only encrypted, as misreporting trust levels, as... etc., etc. Evolution's core developers seem to believe RFC3156 is the be-all and end-all of OpenPGP support, and even then, it's a somewhat idiosyncratic 3156, if I recall correctly. Second, when using the smartcard, and personal-digest-preferences SHA256 RIPEMD160, the latter is chosen as digest algorithm. Is the smartcard limited to 160 Bit hashes? What sort of smartcard are you using, and what does it support as far as hash algorithms? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Selection of digest algorithm
On Jan 28, 2009, at 6:06 PM, Sven Radde wrote: Hi gnupg-users! I noticed some oddities (to me) with the selection of a hash algorithm by GnuPG. I assume that the particular use-cases have additional limitations which are not obvious to me, so could you please clarify? First, when sending a signed email from Evolution, SHA1 seems to be chosen, no matter what personal-digest-preferences or even digest-algo is set in the gpg.conf file (other parts of gpg.conf are honored, however). Is this a limitation of the PGP/MIME standard that Evolution uses? No. OpenPGP/MIME can use any hash that OpenPGP can. Possibly Evolution is overriding the gpg.conf setting for your hashes? Second, when using the smartcard, and personal-digest-preferences SHA256 RIPEMD160, the latter is chosen as digest algorithm. Is the smartcard limited to 160 Bit hashes? Yes. Or at least the current one is. There is a new version of the spec that allows for more hashes, but I don't believe there is a physical card based on the updated spec that you can purchase yet. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users