T7338: Make SHA1 non-FIPS and differentiate in the SLI
Clemens Lang
cllang at redhat.com
Wed Feb 12 13:50:43 CET 2025
Hi Werner,
> On 12. Feb 2025, at 09:25, Werner Koch via Gcrypt-devel <gcrypt-devel at gnupg.org> wrote:
>
> On Mon, 3 Feb 2025 15:56, Lucas Mulling said:
>
>> Consider: NIST's deprecation of SHA1, effective 2030-12-31.
>
> That are 5.5 years in the future. Not a good idea to do it now.
This matters because FIPS validations are valid for five years, but will have their lifetime limited to NIST’s SHA1 sunset date if they allow SHA1.
If you do a FIPS validation now, you’ll likely get a certificate in ~2 years, which then won’t be valid for 5, but only 3, because the build included support for SHA1.
--
Clemens Lang
RHEL Crypto Team
Red Hat
More information about the Gcrypt-devel
mailing list