On Mon, Nov 2, 2020 at 2:25 PM Phil Pennock via Gnupg-users <gnupg-users@gnupg.org> wrote: > > On 2020-11-02 at 13:49 +0100, Werner Koch via Gnupg-users wrote: > > On Fri, 30 Oct 2020 00:10, Phil Pennock said: > > > recipient. That's fine. I'd rather create pressure for people to fix > > > their systems to use modern cryptography than cater to their brokenness > > > with sensitive messages. > > > > People won't update their keys - that just does not work. Ignoring the > > preferences is a better way here. > > First: thank you for the code changes! > > As to the people part: for a generic call to action, you're right. But > that's not the social dynamic in play here. > > For a specific set of people who know each other, trying to communicate > securely, if someone says "hey your key is too broken to use, please fix > it, here's a command to run (which you should check for yourself), > please do so and send us your new public key" ... then that works.
I do have a question for you and Werner, if you don't mind. When one checks Wikipedia for SHA1: https://en.wikipedia.org/wiki/SHA-1 People may ask when seeing this [Quote]: Since 2005, SHA-1 has not been considered secure against well-funded opponents;[4] as of 2010 many organizations have recommended its replacement.[5][6][7] NIST formally deprecated use of SHA-1 in 2011 and disallowed its use for digital signatures in 2013. Was this therefore ever discussed on OpenPGP Mailing Lists, between OpenPGP experts and Mr. Zimmermann and Werner? Second question: What does it really mean for the OpenPGP ecosystem if there would be a SHA1 collision found in an email or detached signed document or file? I ask, because when one checks a GnuPG digitally signed message or file it usually says it comes from the key (owner) blah and this key has a fingerprint of blah if one checks. Regards Stefan _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
