ietf-openpgp
[Top] [All Lists]

Re: [openpgp] New fingerprint: which hash algo

2015-10-08 17:48:24
On 6/10/2015 10:03 am, Simon Josefsson wrote:
On 30 September 2015 at 01:18, Werner Koch <wk(_at_)gnupg(_dot_)org> wrote:
On Mon, 21 Sep 2015 11:13, simon(_at_)josefsson(_dot_)org said:

Regarding which hash to use, SHA-256 is probably the simplest
choice From a practicallity and consensus point of view.  Are
there any strong reasons to favor something else?

I have a small preference to see the fingerprint algorithm match what
we believe the most popular signature (hash) algorithm will be. I've
been working with a number of embedded folks and code size can often
be a big concern. More Algorithms, More Code.

My perception is that the most popular signature hash algorithms right
now are SHA-256 and SHA-512.

Err... A few minor quibbles here about the notions of cryptographic democracy:


1. Popularity? Why is that interesting? Surely we can do a bit better than democracy or fashion or votes on cat pictures?

Engineering or planning, anyone?

2. The reason SHA-256 is the most popular these days is that, in the wake of the 2004 Shandong hashquake, we've made a stunning amount of progress in upgrading. We've almost decided against SHA1 in certificates. We're almost serious about it. And now that freestart collisions are chewing it down to its last 4 bits, we might actually ... do it.

(Which is to say, popularity got us to a situation where *11* years after the shots were fired, and 15 years after the new version was delivered, we're still using lots and lots of SHA1. We want to improve that with 15 year old tech?)

3. It's certainly a stunning indictment on algorithmic agility that SHA1 is still an issue, which is another process by which popularity makes its objective mark.


While SHA-256 and SHA-512 have somewhat
different characteristics on different platforms, I believe we are
approaching the limit of where a lot of additional comparisons are
worth the time and effort compared to just pick one of them.  I'm fine
with SHA-256 for the reasons that Werner presented.  Does someone
else want to promote another option?  Can we get closure on this?

/Simon

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp