Ryan Sleevi schrieb: > On Fri, April 10, 2015 7:49 am, Jürgen Brauckmann wrote: >> Is this just a survey, or does the question imply a new Mozilla policy >> which requires CAs to actively force their customers to stop using old, >> non-expired SHA-1 certificates? >> >> The latter would be quite different from what was discussed by Mozilla, >> Google, Microsoft before. > > As the person who suggested it to Kathleen, I'll happily clarify.
Thanks for your clarification, very helpful! > Note that the latest wording is simply "revoked" [...] > Every unrevoked SHA-1 certificate > out there is a _potential_ compatability issue. Even if the customer's > server is not _presently_ serving the SHA-1 certificate, because it's > valid and unrevoked, they could, which would cause issues for Firefox (and > Chrome and IE) users when they try to access that site after 2017/1/1. I don't see how revocation might help against potential compatibility issues caused by careless and ignorant site operators: If an operator ignores all communication from his CA and uses a SHA-1 certificate on a server where it causes issues with its users, he will also happily use a revoked certificate (and advise its users to switch off OCSP). From the point of view of a user, a Firefox error message sec_error_revoked_certificate is the same as sec_error_sha1_untrusted. Regards, Jürgen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
