On Wed Feb 12, 2025 at 9:50 AM -03, Clemens Lang wrote: > Hi Werner, > >> On 12. Feb 2025, at 09:25, Werner Koch via Gcrypt-devel >> <gcrypt-devel@gnupg.org> wrote: >> >> On Mon, 3 Feb 2025 15:56, Lucas Mulling said: >> >>> Consider: NIST's deprecation of SHA1, effective 2030-12-31. >> >> That are 5.5 years in the future. Not a good idea to do it now. > > This matters because FIPS validations are valid for five years, but will have > their lifetime limited to NIST’s SHA1 sunset date if they allow SHA1. > > If you do a FIPS validation now, you’ll likely get a certificate in ~2 years, > which then won’t be valid for 5, but only 3, because the build included > support for SHA1.
Yes, also note that operations with SHA1 are not blocked by default, and should work normally unless GCRY_FIPS_FLAG_REJECT_MD_SHA1 is explicitly set. _______________________________________________ Gcrypt-devel mailing list Gcrypt-devel@gnupg.org https://lists.gnupg.org/mailman/listinfo/gcrypt-devel
