Re: [openpgp] V5 Fingerprint again

ietf-openpgp

Re: [openpgp] V5 Fingerprint again

2017-03-02 05:41:42

I think we can go slightly further here for depreciation in implementation 
logic: if a primary key is self signed with a stronger algorithm, a sha1 
signature can be considered a security error. This avoids a downgrade scenario 
and catches misconfigurations but should have little potential for false 
positives.

The only scenario I can think of where this heuristic is off, is when the 
sender doesn't create their key themselves and isn't itself capable of stronger 
hashes. Not sure if that ever happens? 

 - V

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[openpgp] V5 Fingerprint again, Phillip Hallam-Baker Re: [openpgp] V5 Fingerprint again, KellerFuchs Re: [openpgp] V5 Fingerprint again, Thijs van Dijk Re: [openpgp] V5 Fingerprint again, Thijs van Dijk Re: [openpgp] V5 Fingerprint again, Werner Koch Re: [openpgp] V5 Fingerprint again, Robert J. Hansen Re: [openpgp] V5 Fingerprint again, Werner Koch Re: [openpgp] V5 Fingerprint again, Thijs van Dijk Re: [openpgp] V5 Fingerprint again, Vincent Breitmoser <= Re: [openpgp] V5 Fingerprint again, Thijs van Dijk Re: [openpgp] V5 Fingerprint again, Vincent Breitmoser Re: [openpgp] V5 Fingerprint again, Werner Koch Re: [openpgp] V5 Fingerprint again, Leo Gaspard

Previous by Date:	Re: [openpgp] V5 Fingerprint again, Leo Gaspard
Next by Date:	Re: [openpgp] V5 Fingerprint again, Thijs van Dijk
Previous by Thread:	Re: [openpgp] V5 Fingerprint again, Thijs van Dijk
Next by Thread:	Re: [openpgp] V5 Fingerprint again, Thijs van Dijk
Indexes:	[Date] [Thread] [Top] [All Lists]