Hi Gustaf and Frank
many thanks for the responses. Yes, your suspicions are correct - this is a concern of one client of ours, who are keen to have an answer.
My takeaway here is that the current usage of SHA-1 for password encryption in OpenACS may be a potential issue, but that there are achievable solutions (involving, as you say, some work).
Apart from that, if I consider OpenACS version 5.91 in its entirety, I can count approx 30 calls to ns_sha1. Not all of these are used for security, I imagine, but do we need to be concerned about any of those 30 calls?
thanks for the help!
Brian
