On Mon, Jan 18, 2016 at 10:19 AM, Richard Barnes <[email protected]> wrote:
> ... > > One thing that has been proposed is to have an exception for local roots, > i.e., to let non-default trust anchors continue to use SHA-1 for some more > time. What do folks here think about that idea? > That seems like a choice to make only if it must be made, in order to shut off SHA-1 for public roots in the absence of change in the enterprise. It's not something I would proactively accept and move towards, since it removes all pressure from vendors and enterprises to fix up their stuff. This also seems like something of enough import that a multi-browser/OS plan would probably be more effective than any single browser leading on it, since enterprises tend to have 0 qualms about directing their entire staff to use whatever browser works around the problem they're seeing. -- Eric > > > On Sun, Jan 17, 2016 at 2:19 PM, <[email protected]> wrote: > > > We failed because of MITM certs: > > > > > https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-with-increased-security/ > > > > But you can set security.pki.sha1_enforcement_level manually. > > > > > > Am 16.01.2016 um 00:16 schrieb [email protected]: > > > it's early 2016 and wondering if a decision has been made on the dates? > > > _______________________________________________ > > > dev-security-policy mailing list > > > [email protected] > > > https://lists.mozilla.org/listinfo/dev-security-policy > > > > > > > > _______________________________________________ > > dev-security-policy mailing list > > [email protected] > > https://lists.mozilla.org/listinfo/dev-security-policy > > > > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
