What is the shortest priority to demand aes256, prefering aead, but accept the certs in actual use in the wild? SECURE256 fails because it demands sha512 and essentially no one uses that to sign certs. -JimC -- James Cloos <cloos at jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6