-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Alphax (Wikipedia email) wrote:
I find it interesting that you're advocating moving away from MD5 in a situation where the known collision weaknesses aren't relevant, yet you personally are still using SHA1 (which was broken about two years ago) in a situation which *is* susceptible to collision -
First of all, SHA1 is not *broken*: although cryptographers have discovered ways to force collisions at a rate lower than brute-force, the attack is still not practical. Furthermore, in a message signing context, you would need to trick me into signing a doctored message, which would be pretty much impossible as I almost always only use GPG to sign plaintext.
Furthermore, I'm currently using a DES signature, which uses 160 bits and thus does not support SHA-256. I could use RSA, but then encryption would be out of question.
What you SHOULD be asking is why I'm using an old version of GnuPG (the current version is 1.4.6).
and your signature didn't verify on that message (ep65i0$496$1@sea.gmane.org).
Don't know why, my archived copy gives similar results. Maybe Thunderbird did something to it.