Thanks everyone for your replies.
It seems that the amount of breakage we have introduced with Thunderbird
91.8.0 is too high.
Based on my understanding from your replies, and also based on some
advice I have received from Werner in private, we we should aim to stop
accepting binding signatures based on SHA-1 in the future, however, as
of today, it might be acceptable to accept then for another while.
We consider to undo the change in Thunderbird, and continue to allow
those signatures until we have a better way to handle this scenario.
I'd like to have a mechanism in the next version of Thunderbird to
repair those keys the user owns (by updating all affected signatures),
to show warnings for correspondent's keys, and to announce a future
cutoff date.
It would be nice to find an agreed cutoff date across applications and
libraries. However, with an advance warning and upgrade mechanism, it
might also be acceptable to have Thunderbird go first.
Thanks and Regards
Kai
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp