rtanglao
commented
1 year ago @kaie wrote in Matrix:
- Note there are various scenarios in which SHA1 is used, and several have already been addressed. So, if you wanted a general article on the topc of "SHA1 deprecation", it would be a lot of work, because you'd have to be complete
To simplify I suggest that the document is specific to this use:
Using SHA-1 in S/MIME digital signatures. - Then the article could just briefly mention that there are other contexts which also need to be looked at separately, and many contexts have already deprecated the use of SHA-1
- For example, we had a "same same but different" scenario with OpenPGP. We have successfully deprecated SHA1 for the "message signature" in OpenPGP messages.
- However, an OpenPGP key is like a complex container with lots of data in it. And the elements in that container are also signed. And we currently still allow SHA1 for those signatures, because of compatibility, and because the other major implementation (gnupg) refuses to deprecate it in that context, and because it can be argued, because the "data that is being signed" cannot be arbitrarily chosen in that context, it's less of a worry. So better not go that deep into the topic.
See (from the 115 Support wiki page)
"NIST formally deprecated use of SHA-1 in 2011 and disallowed its use for digital signatures in 2013, and declared that it should be phased out by 2030.[14] As of 2020, chosen-prefix attacks against SHA-1 are practical."smime_signatures_accept_insecure_sha1, by default set to false, and users could set it to true.