On Thursday, 1 September 2016 12:48:34 UTC+1, Man Ho (Certizen) wrote: > We did inform all subscribers back in October 2014 that SHA-1 SSL server > cert was CEASED since 1 January 2016, and reminded each of them > individually that SHA-1 SSL server cert will no longer be trusted by > browsers starting from 1 January 2017. Some of them might have replaced > their SHA-1 SSL server cert by new cert (either from us or other CA, I > don't know), without letting us know to revoke their SHA-1 SSL server > cert. Some of them might want to keep using their SHA-1 SSL server cert > until its expiry, which is still well before the well-known deadline 1 > January 2017. I believe that their rights to use SHA-1 SSL server cert > before deadline should not be affected.
The action that triggered this sanction was under your control. If it was vital to Hongkong Post to avoid this outcome, then SHA-1 issuance of any kind under the unconstrained intermediate should have ceased at the end of 2015 as required and then we wouldn't be having this discussion. Ultimately it is unfair to expose relying parties to additional risk as a result of bad choices by a CA or subscriber, so if somebody has to be inconvenienced it makes sense for it to be Hongkong Post or its subscribers. If the effect of this action by Mozilla is to encourage some Hongkong Post subscribers to switch to a different CA which doesn't engage in problematic behaviours, OR for those subscribers to demand from Hongkong Post that it should avoid such behaviours in future so as to prevent any further inconvenience to the subscribers; either of those works out well for the relying parties. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
