Hi there,
Apparently, even in 2021, it wasn't uncommon that some OpenPGP software
still used SHA1 when creating signatures.
Do you happen to know which software did so?
I'm primarily posting this FYI, because there probably isn't a good
solution to the situation we're experiencing. We probably shouldn't undo
the change to allow a longer migration period?
I agree; I support rejecting SHA1 signatures. For now, in OpenPGP.js we
only do so for message signatures by default, not binding signatures
yet, but we could start rejecting SHA1 binding signatures as well.
Thanks for leading the way there :)
Best,
Daniel
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp