I hadn't caught the wiki update -- that's terrific! Thanks for pointing it out.
> I can make an announcement in Mozilla's Security Blog if you all think that is needed. I do think a quick announcement, linking to your wiki page and linking to MS' and Chrome's announcements, would be helpful in communicating to the world that This Is Happening. -- Eric On Thu, Aug 28, 2014 at 12:52 PM, Kathleen Wilson <[email protected]> wrote: > Yep. > > I recently added the following. Feedback welcome/appreciated. > > https://wiki.mozilla.org/CA:Problematic_Practices#SHA-1_Certificates > == > SHA-1 certificates may be compromised when attackers can create a fake > cert that hashes to the same value as one with a legitimate signature, and > is hence trusted. Mozilla can mitigate this potential vulnerability by > turning off support for SHA-1 based signatures. The SHA-1 root certificates > don’t necessarily need to be removed from NSS, because the signatures of > root certificates are not validated (roots are self-signed). Disabling > SHA-1 will impact intermediate and end entity certificates, where the > signatures are validated. > > There are still many end entity certificates that would be impacted if > support for SHA-1 based signatures was turned off. Therefore, we are hoping > to give CAs time to react, and are planning to turn off support for SHA-1 > based signatures in 2017. Note that Mozilla will take this action earlier > if needed to keep our users safe. > > CAs should not be issuing new SHA-1 certificates, and should be migrating > their customers off of SHA-1 intermediate and end-entity certificates. > > If a CA still needs to issue SHA-1 certificates for compatibility reasons, > then those SHA-1 certificates should expired before 2017. > == > > > Also, this topic is on my list of things to included in the next CA > Communication. I was hoping to not have to do another CA Communication > until I have migrated the CA Program data into SalesForce.com and have a > more automated way to handle CA Communications and responses. (this project > has started, more info to come as we make progress) > > I can make an announcement in Mozilla's Security Blog if you all think > that is needed. (btw... I'm also drafting a security blog about 1024-bit > certs.) > > Thanks, > Kathleen > > > > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
