Yep.
I recently added the following. Feedback welcome/appreciated.
https://wiki.mozilla.org/CA:Problematic_Practices#SHA-1_Certificates
==
SHA-1 certificates may be compromised when attackers can create a fake
cert that hashes to the same value as one with a legitimate signature,
and is hence trusted. Mozilla can mitigate this potential vulnerability
by turning off support for SHA-1 based signatures. The SHA-1 root
certificates don’t necessarily need to be removed from NSS, because the
signatures of root certificates are not validated (roots are
self-signed). Disabling SHA-1 will impact intermediate and end entity
certificates, where the signatures are validated.
There are still many end entity certificates that would be impacted if
support for SHA-1 based signatures was turned off. Therefore, we are
hoping to give CAs time to react, and are planning to turn off support
for SHA-1 based signatures in 2017. Note that Mozilla will take this
action earlier if needed to keep our users safe.
CAs should not be issuing new SHA-1 certificates, and should be
migrating their customers off of SHA-1 intermediate and end-entity
certificates.
If a CA still needs to issue SHA-1 certificates for compatibility
reasons, then those SHA-1 certificates should expired before 2017.
==
Also, this topic is on my list of things to included in the next CA
Communication. I was hoping to not have to do another CA Communication
until I have migrated the CA Program data into SalesForce.com and have a
more automated way to handle CA Communications and responses. (this
project has started, more info to come as we make progress)
I can make an announcement in Mozilla's Security Blog if you all think
that is needed. (btw... I'm also drafting a security blog about 1024-bit
certs.)
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
