On 16. Mar 2022, at 00:04, Tom Hughes via devel
<devel(a)lists.fedoraproject.org> wrote:
On 15/03/2022 22:45, Robert Relyea wrote:
> 1) in fedora 37, provide a policy that turns SHA-1 off. in our testing, we encourage
people to run with that policy and write bugs against components.
That policy already exists in Fedora 34 and 35 where the FUTURE policy
does not allow SHA1 in signature algorithms.
In the case of OpenSSL, that only affects use of SHA1 as signature algorithms in TLS.
It does not cover arbitrary signatures with a SHA1 digest, which is what we are
proposing.
HTH,
Clemens
--
Clemens Lang
RHEL Crypto Team
Red Hat