[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: system-wide crypto policies

* Daniel Pocock:

> However, are such issues at the discretion of package maintainers and
> upstream, or is it useful to have a uniform Debian approach to
> cryptographic strength?

Keep in mind that RFC 4880 (OpenPGP) hard-codes SHA-1 in several
places, notably for key fingerprints.  If there's a uniform strength
requirement, we need some weasel words that GnuPG remains compliant.

It's also unclear if SHA-256 or SHA-512 is stronger, and if either
really is that much better than SHA-1.

Reply to: