Re: [openpgp] Rejecting expiration signatures that involve SHA1

Thanks everyone for your replies.

It seems that the amount of breakage we have introduced with Thunderbird91.8.0 is too high.

Based on my understanding from your replies, and also based on someadvice I have received from Werner in private, we we should aim to stopaccepting binding signatures based on SHA-1 in the future, however, asof today, it might be acceptable to accept then for another while.

We consider to undo the change in Thunderbird, and continue to allowthose signatures until we have a better way to handle this scenario.

I'd like to have a mechanism in the next version of Thunderbird torepair those keys the user owns (by updating all affected signatures),to show warnings for correspondent's keys, and to announce a futurecutoff date.

It would be nice to find an agreed cutoff date across applications andlibraries. However, with an advance warning and upgrade mechanism, itmight also be acceptable to have Thunderbird go first.


Thanks and Regards
Kai

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:

Re: [openpgp] test vectors for unknown signatures [was: Re: Implementers: does your OpenPGP tool gracefully discard signature packets of unknown version?], Peter Gutmann

Next by Date:

Re: [openpgp] test vectors for unknown signatures [was: Re: Implementers: does your OpenPGP tool gracefully discard signature packets of unknown version?], Daniel Kahn Gillmor

Previous by Thread:

Re: [openpgp] test vectors for unknown signatures [was: Re: Implementers: does your OpenPGP tool gracefully discard signature packets of unknown version?], Peter Gutmann

Next by Thread:

Re: [openpgp] Implementers: does your OpenPGP tool gracefully discard signature packets of unknown version?, Paul Schaub

Indexes:

[Date] [Thread] [Top] [All Lists]