Just to make sure I understand… In the VeriSign case the MD2 roots expire on 2028-08-01, and the SHA1 roots expire on 2028-08-02, so the SHA1 roots would take precedence in NSS. Therefore, there is no benefit in keeping the MD2 roots, and the MD2 roots should be removed when the SHA1 roots are added.
In the Izenpe case, they are requesting to add both the SHA1 and the SHA256 roots. The SHA1 dates are 12/13/2007 5:08:27 AM 12/13/2037 0:27:25 AM The SHA256 dates are 12/13/2007 5:08:28 AM 12/13/2037 0:27:25 AM NSS will always pick the SHA256 root, because its NotBefore date is one second later than that of the SHA1 root. This means that if the SHA256 root is included, there is no benefit in also including the SHA1 root. However, Izenpe may want to consider only including the SHA1 root because many of their customers may be using operating systems that don’t yet support SHA256. Is this correct? Thanks, Kathleen -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto