On Thu, 2013-06-27 at 11:24 +0200, Daniel Pocock wrote: > Some of the discussion in this bug seems relevant to the GnuPG and > GnuPG2 packages in Debian, but the bug is against the archive > pseudo-package: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=612657 > > Can anybody else make any comments: > > a) should there be more effort to phase out SHA1? I guess there are different fractions which give you different answers... SHA1 is not yet broken, but it has scratches...
> b) how is it being approached upstream? Is backwards-compatibility > still emphasized to the same extent? Upstream is always very conservative... I'm not sure whether this is always the best way to follow. > c) should this become a general system-wide goal to audit and increase > crypto-strength in all parts of jessie / future Debian versions? Sure... it should _always_ be a general and permanent goal to increase security... I'd also generally recommend on trying to phase out older hash alogs, when there's no specific reason to keep them (for performance reasons... which is IMHO rarely the case). An alternative (perhaps even a better one)... was to use multiple different algos concurrently... verify all, and if _ANY_ of them fails... consider it invalid.
smime.p7s
Description: S/MIME cryptographic signature
