On Thu, Dec 05, 2024 at 11:37:44AM +0100, Bernhard Reiter via Gnupg-devel wrote: > Hi Werner, > > last year in March 2023 you wrote in > https://dev.gnupg.org/T6433
There was no discussion of the potential vulnerabilities in T6433 that might be caused by leaving things as they are. When discussing long used methods we really need to concentrate on the actual potential harm to users. What are those potential harms here? My understanding is that since SHA-1 is secure for everything but collisions that the user is quite safe even in the face of easy to create collisions. What am I missing? An attacker can't create a collision with an existing SHA-1 digest and the new digests are made with SHA-256. An attacker can create matching keys using SHA-1 digests and submit one of them to some sort of trusted third party for certification but that is the sort of thing that only works once. What is the actual issue here? Bruce _______________________________________________ Gnupg-devel mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-devel
