On Mon, Jan 18, 2016 at 11:07 AM, Jakob Bohm <[email protected]> wrote:
> On 18/01/2016 16:19, Richard Barnes wrote: > >> "Failed" might be a bit strong :) We had a temporary setback. >> >> Like the blog post says, we're working on more precisely characterizing >> how >> widespread and how broken these middleboxes are, before taking steps to >> re-enable the SHA-1 restrictions. I still think we're on track for >> turning >> off SHA-1 entirely (together with the other browsers) sometime around EOY, >> but obviously there's a bit more uncertainty now. >> >> One thing that has been proposed is to have an exception for local roots, >> i.e., to let non-default trust anchors continue to use SHA-1 for some more >> time. What do folks here think about that idea? >> >> >> > How about letting certs that chain to roots that are self-signed with > SHA-1 use SHA-1, assuming no such roots remain in the default trust > list. > I don't think that assumption is true, unfortunately. And even if it were, it seems like this strategy would result in some hard-to-debug errors without much benefit. --Richard > However this would not work if the default root list contains roots > that are self-signed (historically) using SHA-1, but which no longer > issue certificates signed with SHA-1 (this is possible for non-DSA > roots only). > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
