On Thu, May 08, 2014 at 03:35:42PM +0100, Jeremy Harris wrote:
> Both GnuTLS and OpenSSL have suitable entrypoints:
>
> gnutls_x509_crt_get_fingerprint()
> X509_digest()
>
> Do we need stronger hash methods also?
At least in OpenSSL (and likely the corresponding GnuTLS function,
but I have not looked) X509_digest() function takes a digest
algorithm parameter. There is not reason to not offer the user
a choice of algorithm.
Postfix also makes the public key (SPKI) digest available for access
checks (same digest algorithm).
--
Viktor.
