On 30/09/16 07:50, Jakob Bohm wrote: > SHA-1 certs until the hardware dies. On a trust policy/BR level, the > key detail here is that the issuing root cert is a SHA-1 cert itself > and would thus be distrusted by SHA-1-distrusting systems anyway.
That's not so; I believe most (all?) systems don't check the signatures on their own embedded root certificates, because they are implicitly trusted. There are many roots in the Mozilla program with SHA-1 signatures; see the Signature Hash Algorithm column in: https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport In fact, there are two with MD5 signatures, although as it happens they are only trusted for email. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
