[pkg-gnupg-maint] Bug#870497: Bug#870497: dirmngr: SKS keyserver network CA certificate uses SHA1 for the fingerprint

Kristian Fiskerstrand kristian.fiskerstrand at sumptuouscapital.com
Tue Oct 17 16:24:25 UTC 2017


On 08/02/2017 06:52 PM, Daniel Kahn Gillmor wrote:
> I agree with you that this is bad practice, but it doesn't actually
> matter for root certificates.  For a root certificate, what matters is
> the public key in question, not how it's signed.
> 
> That said, it would be nice to have a re-generated root certificate that
> uses a modern signing algorithm just to avoid anyone worrying about it
> (or some toolkit being overly-strict and deciding to not accept it).
> 
> I've cc'ed the upstream maintainer of that CA, Kristian Fiskerstrand, to
> see whether he's willing to issue an updated root cert with the same key
> material but using a modern signing algorithm.

It doesn't have security relevance, so I won't do anything with the CA
pubkey. The certificates issued have been sha256 for a while, and the
rollover CA cert will be, though.

-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"Money is better than poverty, if only for financial reasons."
(Woody Allen)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20171017/2c4f55f8/attachment.sig>


More information about the pkg-gnupg-maint mailing list