On Tue, Aug 15, 2017 at 07:20:32PM +0200, Ralph Seichter wrote:
> I agree, and I am not worried about SHA1 at this point. Still, if better
> digests are available simply by configuring a different algorithm name
> via smtpd_tls_fingerprint_digest, I'm all for using one of them.
The hardest part is making sure you still have a copy of all the
authorized public keys or certificates, so that you can compute a
new digest. If all you have is the (say md5 or sha1) digest, then
it is not feasible to compute the corresponding sha256 digest.
--
Viktor.
