On Wed, 2021-07-14 at 14:13 -0400, Paul Wouters wrote:
On Mon, 12 Jul 2021, Simo Sorce wrote:
> > SQLite is a general-purpose tool. Not every use of SHA-1 is
> > cryptographically relevant. Most uses in the context of SQLite probably
> > aren't, so the removal just annoys users for no good reason.
>
> Note that this is a Sqlite decision, from RHEL engineering we only
> requested the removal in digital signatures and where integrity
> protection is required for security.
> Also note that we do not require full removal, just that SHA-1 is not
> used unless users intentionally change configuration.
How does this affect users of NSS who have created "default" databases,
eg using certutil -N ? Do these use SHA1? If so, can they be migrated
to SHA2? Automatically ?
I do not think this feature is used by NSS, CCing Bob.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc