On 25.04.22 14:12, Daniel Huigens wrote:
Apparently, even in 2021, it wasn't uncommon that some OpenPGP software
still used SHA1 when creating signatures.
Do you happen to know which software did so?
In one of the reports, gnupg was used, and probably at least version
2.2.4, which apparently uses SHA-512 by default.
The user discovered a gpg.conf file that was set to use SHA-1, but the
user couldn't explain why they had that configuration.
By modifying the configuration file, and repeating key editing, the user
was able to fix their key.
Should we be worried that many users might have configuration files that
lock gnupg into using SHA-1 ?
If it's possible that users might accidentally have such configurations,
should current versions of GnuPG potentially ignore such an insecure
configuration?
While this is a gnupg specific question, one could generalize it, so the
discussion is more appropriate for this list:
Should modern OpenPGP software ignore outdated configurations that ask
for insecure hash algorithms?
Thanks
Kai
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp