On 18/01/2016 16:19, Richard Barnes wrote:
"Failed" might be a bit strong :) We had a temporary setback.
Like the blog post says, we're working on more precisely characterizing how
widespread and how broken these middleboxes are, before taking steps to
re-enable the SHA-1 restrictions. I still think we're on track for turning
off SHA-1 entirely (together with the other browsers) sometime around EOY,
but obviously there's a bit more uncertainty now.
One thing that has been proposed is to have an exception for local roots,
i.e., to let non-default trust anchors continue to use SHA-1 for some more
time. What do folks here think about that idea?
How about letting certs that chain to roots that are self-signed with
SHA-1 use SHA-1, assuming no such roots remain in the default trust
list.
However this would not work if the default root list contains roots
that are self-signed (historically) using SHA-1, but which no longer
issue certificates signed with SHA-1 (this is possible for non-DSA
roots only).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
