On 2020/05/02 00:23, Stephan Mending wrote: > Hi, > > I actually read your thread. By what I understood you're at the moment > trying to change a few defaults. > > That was the reason I wanted to add SHA1 for removal. I just thought it > deserved a seperate thread. > > I do understand that you're trying to be careful with removing or changing > defaults. From my point of view everybody that is (maybe implicitly) using > SHA1 right now is better off to be get this wakeup call the earlier the > better. > > We aren't even removing SHA1 we're just not offering it as default. And for > those Windows boxes who require it, those people just have to add a line to > explicitly enable it. I would not see such big of a problem.
The things removed recently have a very low risk of affecting anyone. sha1 (and modp1024) are high risk. Removing from the default list may cause some people to be unable to connect to their network after updating. This may mean that they are then unable to connect back in to fix it. If this change is made it needs to be done fairly early in the release cycle, and preferably at a time when slightly fewer people are relying on working remote access to get at their networks.
