[pkg-gnupg-maint] Bug#870497: Bug#870497: dirmngr: SKS keyserver network CA certificate uses SHA1 for the fingerprint

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Aug 2 16:52:22 UTC 2017


Control: retitle 870497 dirmngr: SKS keyserver network CA certificate is self-signed using SHA1 

Hi Paul--

On Wed 2017-08-02 12:00:45 -0400, Paul Wise wrote:
> I noticed that the SKS keyserver network CA certificate uses SHA1 for
> the fingerprint. Since browser vendors are phasing out SHA1 certs,
> the SKS keyserver network should probably do that too.
>
>   $ openssl x509 -in /usr/share/gnupg/sks-keyservers.netCA.pem -text -noout | grep -i sha1
>       Signature Algorithm: sha1WithRSAEncryption
>       Signature Algorithm: sha1WithRSAEncryption

I think you mean that the signature algorithm uses SHA1, not that it's a
SHA1 fingerprint.

I agree with you that this is bad practice, but it doesn't actually
matter for root certificates.  For a root certificate, what matters is
the public key in question, not how it's signed.

That said, it would be nice to have a re-generated root certificate that
uses a modern signing algorithm just to avoid anyone worrying about it
(or some toolkit being overly-strict and deciding to not accept it).

I've cc'ed the upstream maintainer of that CA, Kristian Fiskerstrand, to
see whether he's willing to issue an updated root cert with the same key
material but using a modern signing algorithm.

Thanks for the heads up,

    --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20170802/e0f195a7/attachment.sig>


More information about the pkg-gnupg-maint mailing list