> - We are re-evaluating when we should start rejecting all SHA-1 SSL > certificates (regardless of when they were issued). As we said before, > the current plan is to make this change on January 1, 2017. However, in > light of recent attacks on SHA-1, we are also considering the > feasibility of having a cut-off date as early as July 1, 2016.
I think that pulling in this date will create chaos for some large enterprises who are already scrambling to phase out SHA-1 by the end of 2016. They had been counting on using all of 2016 to complete their migration. It wouldn't just be an inconvenience - it would make an already-difficult situation nearly impossible. And I'll point out that Microsoft is considering the same thing but with a different date - June 1, 2016. Would you at least consider collaborating with other browser vendors to agree on the same date? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
