On 27/09/2016 21:02, Erwann Abalea wrote:
Bonsoir,
Le mardi 27 septembre 2016 18:43:29 UTC+2, Han Yuwei a écrit :
在 2016年9月27日星期二 UTC+8下午11:21:26,Hector Martin "marcan"写道:
On 2016-09-27 23:21, Han Yuwei wrote:
在 2016年9月27日星期二 UTC+8下午8:33:28,Gervase Markham写道:
On 27/09/16 13:13, [email protected] wrote:
We must use Windows XP becuase some programs can only run on XP. We
have no money to get new programs and new Windows. Do you give $$$¥¥¥
to me??? You don't right? So please understand why we use XP.
Windows XP SP3 supports SHA-256. And of course, you always have the
option of Linux, which is a free modern operating system.
Gerv
There are a lot of software whose company is already down running at factoies,
critical public infrastructures even hospital. We can't take the risk to
upgrade the operating system. But I am not supporting continous using of SHA1
certificates. Maybe you can understand this. :)
*Not* upgrading the operating system is a security risk. If you need to
interact with certificates, your computer is networked. If your computer
is networked, you absolutely cannot afford *not* to keep it up to date
and using a supported operating system. Anything else is asking to get
compromised, and then certificates are going to be the least of your
worries.
The "install it once and don't touch it" mentality stops working the
moment there's an Ethernet port with a cable connected to it. I would
hope networked equipment at critical public infrastructure like a
hospital is using a supported, updated operating system and software.
--
Hector Martin "marcan" ([email protected])
Public Key: https://mrcn.st/pub
Yes, I totally agree with you.But some software can't work under newer system.
Maybe we can find a solution towards this.
There are 2 solutions for this problem:
1/ a temporary one, where the certificate subscriber can demonstrate that it its relying
parties can't accept SHA2 today but will be upgraded before the end of 2016. The
procedure to get a SHA1 certificate is a public review with extended checks, it takes
about 2 weeks to get the approval if nothing risky is found. It's the "SHA1
Exceptions process" described in the extensive report written by Gerv. WoSign and
StartCom have chosen to not follow it, and to hide their actions.
2/ a permanent one, where it's really not possible to upgrade the relying
parties' systems to accept SHA2, or the subscriber is not willing to do the
effort. The SHA1 certificate is issued by a non public CA, and this non public
CA is explicitly imported as trusted in the necessary relying parties' systems.
There is no other alternative.
Note that in my daily work, I am aware of at least one system where
neither option is particularly viable, due to the platform vendor
locking down the system and then abandoning the signing services that
would usually authorize CA certificate imports. This leaves the system
in question with a "set in stone" list of trusted (SHA-1) CAs.
Thus to cater to those systems (especially when the actual devices are
3rd party owned), the only practical solution would be for one of the
relevant old SHA-1 root CA certs to issue (via intermediaries etc.) new
SHA-1 certs until the hardware dies. On a trust policy/BR level, the
key detail here is that the issuing root cert is a SHA-1 cert itself
and would thus be distrusted by SHA-1-distrusting systems anyway.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
