On 30/09/16 13:40, Jakob Bohm wrote: > Well, at least the intermediaries involved would be SHA-1 and be > checked against the SHA-1-distrust policy?
Yes. But issuing SHA-1 from a currently-publicly-trusted root is a BR violation, whether clients enforce distrust or not. One solution often adopted for old clients is to issue from a root which is no longer currently-publicly-trusted. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
