On Tuesday, 24 May 2016 04:29:10 UTC+1, sanja...@symantec.com wrote: > We used SHA1 and SHA2 in signing algorithm to sign end-entity SMIME > certificates. SHA2 is the current practice for new end-entity SMIME > certificates. We will be stopping SHA1 ICA usage by the end of 2016 for > SMIME. We plan to use a new ICA that has a compliant EKU to issue SMIME > certificates by the end of 2016.
Thanks Sanjay. This timetable is relatively good news, I hope you will keep Mozilla informed if it slips. Where Symantec do issue SHA-1 signed S/MIME today, are there measures in place to ensure chosen prefix attacks are harder through some contents of the certificate being unpredictable to the subscriber, particularly random bits in the serial number field? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
