On 3/11/2015 22:14 pm, Nils Durner wrote:
Hi,
I would like to elaborate on why I feel that algorithm deprecation
should also be guided by regulations. For Germany, the algorithm catalog
for Electronic Signatures[0] issued by the Federal Network Agency,
dictates that
SHA-1 and RIPEMD-160, respectively, are suitable only for verification
of qualified certificates until the end of 2015.
I feel that implementations should help users use crypto correctly - and
incorrect use also includes use of methods deemed insufficient by law,
IMO. IANAL, but repudiability based on algorithm choice should be
prevented against.
I think this is an over-reading of the dig-sig laws. Although I haven't
followed it for a couple of years, there have been court cases in
Germany that have accepted digital signatures from non-qualified
sources. Also, the qualified signature programme in Europe is basically
a failure.
I would recommend completely ignoring what some law says, and doing it
right by the user. You'll get into more trouble in trying to align with
the law than by doing the right thing, in my not so humble opinion.
iang
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp