On 08/02/2017 06:52 PM, Daniel Kahn Gillmor wrote: > I agree with you that this is bad practice, but it doesn't actually > matter for root certificates. For a root certificate, what matters is > the public key in question, not how it's signed. > > That said, it would be nice to have a re-generated root certificate that > uses a modern signing algorithm just to avoid anyone worrying about it > (or some toolkit being overly-strict and deciding to not accept it). > > I've cc'ed the upstream maintainer of that CA, Kristian Fiskerstrand, to > see whether he's willing to issue an updated root cert with the same key > material but using a modern signing algorithm.
It doesn't have security relevance, so I won't do anything with the CA pubkey. The certificates issued have been sha256 for a while, and the rollover CA cert will be, though. -- ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- "Money is better than poverty, if only for financial reasons." (Woody Allen)
signature.asc
Description: OpenPGP digital signature
