On Mon, Jan 18, 2016 at 3:26 PM, Eric Mill <[email protected]> wrote:
> On Mon, Jan 18, 2016 at 10:19 AM, Richard Barnes <[email protected]> > wrote: > >> ... >> >> One thing that has been proposed is to have an exception for local roots, >> i.e., to let non-default trust anchors continue to use SHA-1 for some more >> time. What do folks here think about that idea? >> > > That seems like a choice to make only if it must be made, in order to shut > off SHA-1 for public roots in the absence of change in the enterprise. It's > not something I would proactively accept and move towards, since it removes > all pressure from vendors and enterprises to fix up their stuff. > To be clear: I said "some more time", not "forever" :) > This also seems like something of enough import that a multi-browser/OS > plan would probably be more effective than any single browser leading on > it, since enterprises tend to have 0 qualms about directing their entire > staff to use whatever browser works around the problem they're seeing. > Even if the browsers coordinate, though, it seems like enterprises also have very little problem using old browsers, which is something we definitely don't want to encourage. --Richard > > -- Eric > > >> >> >> On Sun, Jan 17, 2016 at 2:19 PM, <[email protected]> wrote: >> >> > We failed because of MITM certs: >> > >> > >> https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-with-increased-security/ >> > >> > But you can set security.pki.sha1_enforcement_level manually. >> > >> > >> > Am 16.01.2016 um 00:16 schrieb [email protected]: >> > > it's early 2016 and wondering if a decision has been made on the >> dates? >> > > _______________________________________________ >> > > dev-security-policy mailing list >> > > [email protected] >> > > https://lists.mozilla.org/listinfo/dev-security-policy >> > >> > >> > >> > _______________________________________________ >> > dev-security-policy mailing list >> > [email protected] >> > https://lists.mozilla.org/listinfo/dev-security-policy >> > >> > >> _______________________________________________ >> dev-security-policy mailing list >> [email protected] >> https://lists.mozilla.org/listinfo/dev-security-policy >> > > > > -- > konklone.com | @konklone <https://twitter.com/konklone> > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
