On 2016-08-17 11:24, Matt Palmer wrote:
On Wed, Aug 17, 2016 at 10:22:13AM +0200, Kurt Roeckx wrote:
On 2016-08-17 00:23, Ryan Sleevi wrote:
Practically speaking, what steps could be taken?
6) Ask them to immediately stop issuing SHA-1 based certificates that chain
back to any of the root certificates in the Mozilla root store, and revoke
the one they shouldn't have issued. If they fail to comply distrust all
their certificates.
Didn't they already get asked to do that?
I don't see that being asked, it was just pointed out that this is a
violation of the BR requirements, and that the CA certificate might get
added to OneCRL preventing it's use to issue certificates for server
authentication.
The BR requirements only apply to certificates that can be used for
server authentication, and they say they stopped using that intermediate
certificate for server authentication at the start of the year. But the
SHA-1 requirement really is about all certificates, not just those that
need to comply with the BR requirements.
I don't think adding that CA certificate to OneCRL is enough, that would
only protect Mozilla users. They should revoke all the relevant
certificates.
Kurt
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
