I think that yes, the response to #1c should include code signing certificates. As the description notes, anything a CA signs presents a risk.
I'm not sure what you're saying about June 30, 2016? I don't think this question is related to actual enforcement, just trying to gauge the degree of residual risk that is out there even after the prohibition on SHA-1 web certs. On Wed, Mar 23, 2016 at 2:04 PM, Jeremy Rowley <[email protected]> wrote: > Yes. 1c encompasses all certs, which includes code signing (not supported > by > Mozilla) and client (somewhat supported by Mozilla). If we have to change > by June 30, 2016, this is trumping the Microsoft date, despite Mozilla > dropping support for code signing certificates last year. > > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+jeremy.rowley > [email protected] > .org] On Behalf Of Kathleen Wilson > Sent: Wednesday, March 23, 2016 11:46 AM > To: [email protected] > Subject: Re: Drafting Q1 2016 CA Communication > > On 3/23/16 10:26 AM, Jeremy Rowley wrote: > > What about code signing and s/MIME certs? Code signing is still used > > by MS for legacy software until Jan 2017. > > > > On Tuesday, March 22, 2016 at 9:33:19 AM UTC-7, [email protected] > wrote: > >> The following 'ACTION #1c' has been added to the communication, which > >> is > > here: > >> https://wiki.mozilla.org/CA:Communications#March_2016 > >> and click on "Link to DRAFT of March 2016 CA Communication". > >> > > Jeremy, I'm not sure I understand your question. Is it in regards to ACTION > #1c? > > Kathleen > > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
