On 18/01/2016 22:18, Richard Barnes wrote:
On Mon, Jan 18, 2016 at 11:07 AM, Jakob Bohm <jb-mozi...@wisemo.com> wrote:
On 18/01/2016 16:19, Richard Barnes wrote:
"Failed" might be a bit strong :) We had a temporary setback.
Like the blog post says, we're working on more precisely characterizing
how
widespread and how broken these middleboxes are, before taking steps to
re-enable the SHA-1 restrictions. I still think we're on track for
turning
off SHA-1 entirely (together with the other browsers) sometime around EOY,
but obviously there's a bit more uncertainty now.
One thing that has been proposed is to have an exception for local roots,
i.e., to let non-default trust anchors continue to use SHA-1 for some more
time. What do folks here think about that idea?
How about letting certs that chain to roots that are self-signed with
SHA-1 use SHA-1, assuming no such roots remain in the default trust
list.
I don't think that assumption is true, unfortunately. And even if it were,
it seems like this strategy would result in some hard-to-debug errors
without much benefit.
I was attempting to avoid the even-harder-to-debug error where behavior
depends on how a root cert was added to the configuration.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
