Hi WG.
After reading the whole RFC I've found several places where SHA1 is
given as the only possible algorithm, e.g. the whole MDC stuff, or the
revocation key signature subpacket (it has these 20 octets of the
fingerprint).
In addition to that we depend very much on SHA1 as our fingerprints
uses it, and if I understand correct the whole web of trust uses them
at keysigning parties, etc.
Now how close are the two tied?
I mean the signatures are completely independent of SHA1 (one can use
a different hash algo for them), and the signatures are not calculated
over fingerprints but over data, right?
So in principle one could say, that it would be better not to use
fingerprints when two people sign their keys, but the should better
really exchange secured copies of their public keys, ok?
I still remember the first papers about possible attacks on SHA1
(though I don't know the current state on this),... and we've already
seen how fast MD5 was completely hacked.
So what would happen if the same happens to SHA1? Would the existing
web of trust (I mean the existing keys and their relationships) blow
up?
Bye,
Peter
btw: Is there a difference between OpenPGP's MDC and MAC's?