[PATCH] MD2 for libgcrypt

Werner Koch wk at gnupg.org
Sat Jul 24 09:05:01 CEST 2010

Stephan Mueller <smueller at chronox.de> writes:

> Yes, agreed from my side as well. But what can you do if customers force you 
> to use it, even with MD2?

An option might be to add flag to trustlist.txt, similar to "relax",
which suppresses validation of the root certificate.

I agree that validation of the root certifciate is not necessary because
we check the fingerprint anyway.  However that extra check revealed some
probelms in the past and thus I don't want to drop it completely.  I
can't remeber but there might have been a specification which required
this validation.

This won't help Daniel's request for adding a MD2 to use libgcrypt as a
crypto bench.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gcrypt-devel mailing list