[Top] [All Lists]

Re: [openpgp] Rejecting expiration signatures that involve SHA1

2022-05-02 04:50:28
Thanks everyone for your replies.

It seems that the amount of breakage we have introduced with Thunderbird 91.8.0 is too high.

Based on my understanding from your replies, and also based on some advice I have received from Werner in private, we we should aim to stop accepting binding signatures based on SHA-1 in the future, however, as of today, it might be acceptable to accept then for another while.

We consider to undo the change in Thunderbird, and continue to allow those signatures until we have a better way to handle this scenario.

I'd like to have a mechanism in the next version of Thunderbird to repair those keys the user owns (by updating all affected signatures), to show warnings for correspondent's keys, and to announce a future cutoff date.

It would be nice to find an agreed cutoff date across applications and libraries. However, with an advance warning and upgrade mechanism, it might also be acceptable to have Thunderbird go first.

Thanks and Regards

openpgp mailing list

<Prev in Thread] Current Thread [Next in Thread>
  • Re: [openpgp] Rejecting expiration signatures that involve SHA1, Kai Engert <=