SHA1 and RIPEMD160 are not declared insecure until widely deployed

2015-10-21 21:42:37 +02:00
parent 14d193a0f2
commit 10fed404ae
1 changed files with 2 additions and 2 deletions
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpSecurityConstants.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpSecurityConstants.java
@@ -79,8 +79,8 @@ public class PgpSecurityConstants {
     */
    private static HashSet<Integer> sHashAlgorithmsWhitelist = new HashSet<>(Arrays.asList(
            // MD5: broken
-            // SHA1: broken
-            // RIPEMD160: same security properties as SHA1
+            HashAlgorithmTags.SHA1, // TODO: disable when SHA256 is widely deployed
+            HashAlgorithmTags.RIPEMD160, // same security properties as SHA1, TODO: disable when SHA256 is widely deployed
            // DOUBLE_SHA: not used widely
            // MD2: not used widely
            // TIGER_192: not used widely