On Wed, 1 Mar 2017 20:41, schnabbel(_at_)inurbanus(_dot_)nl said:
1) Should we deprecate SHA1 in signatures? (Or did we already?)
This would break all existing signatures for no good reason. Instead a
new v5 key format MUST NOT be used with signatures "weaker" than
SHA-256.
It is up to an implementation to decide what to do with old keys and
signature material. The question is related to the old question what to
do with an expired or revoked signature key: are all signatures are then
suddenly untrustworthy or is there enough external context which allows
to decide that the signed document is still intact?
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
pgpZQff53ANbT.pgp
Description: PGP signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp