All,
We've posted a security blog to provide current status and direction on
phasing out SHA-1 certs:
https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/
Of particular note:
- In Firefox 43 we plan to show an overridable “Untrusted Connection”
error whenever Firefox encounters a SHA-1 based certificate that has
ValidFrom after Jan 1, 2016. This includes the web server certificate as
well as any intermediate certificates that it chains up to.
- We are re-evaluating when we should start rejecting all SHA-1 SSL
certificates (regardless of when they were issued). As we said before,
the current plan is to make this change on January 1, 2017. However, in
light of recent attacks on SHA-1, we are also considering the
feasibility of having a cut-off date as early as July 1, 2016.
Also of note:
- We do not currently plan to display an error if an OCSP response is
signed by a SHA-1 certificate.
- we do not currently plan to throw an error when SHA-1 S/MIME and
client authentication certificates are encountered.
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
