Michael Catanzaro wrote: > SHA-1 is blocked in certificate signatures because those can be > attacked offline. Signatures in the TLS handshake are entirely > different. I'm hardly an expert, but I think the attacker only has a > few seconds to generate a hash collision before the user gives up and > closes the browser tab. Spending several months trying to find a > collision is not an option here. Am I wrong? Probing the server repeatedly I get the same value in the Pubkey field several times in a row. Some time later the value changes. The server seems to replace the key every few hours or days. The Signature field is different every time though. Thus I'm not sure whether the attacker's time limit is the lifetime of the key (which Fedora can't control) or the TCP timeout. Björn Persson
Attachment:
pgpyk8_XhiYp3.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
