----- Original Message ----- > From: "Chris Palmer" <[email protected]> > To: "Chris Egeland" <[email protected]> > Cc: "[email protected]" > <[email protected]> > Sent: Wednesday, 24 September, 2014 11:53:58 PM > Subject: Re: Security Blog about SHA-1 > > Also, there's no problem (from a Chrome UX perspective) because > Mozilla's certificate expires on 7 December 2015 — well before that > bad 1 Jan 2017 date, and even before the dodgy 1 Jan 2016 date. > > http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html > > SHA-1 signature algorithms are not per se bad right now; what's bad is > certificate chains using SHA-1 that will/would be valid too far in the > future. Between now and 1 Jan 2016, and between then and 1 Jan 2017, > there is plenty of time to get a new certificate, signed with a > SHA-256-based signature function.
It's debatable if the 2016 date is good. NIST doesn't agree.... but yes, as far as Internet certs go, mozilla one is not so bad -- Regards, Hubert Kario _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
