Choose appropriate replacement hash function for SHA1
Design change draft proposal
- Use the full public key or certificate instead of the public key hash whenever possible
- Use SHA-256 when using the full public key is not necessary for security and if the performance impact of the full public key is too large.
- Make sure future changes are easier
Discussion
- Using SHA-3 would be possible but is not currently implemented by GnuTLS (see https://gnutls.org/reference/gnutls-x509.html#gnutls-keyid-flags-t)