On Wed, 5 Oct 2016 22:46:24 -0700 Peter Bowen <[email protected]> wrote:
> I think we can all look back with 20/20 hindsight and say that device > vendors should not use the same roots as browsers and that maybe CAs > should have created "SHA-1 forever" roots for devices that never plan > to update, but that is great hindsight. We have the problem now, so we > need an answer. I find that a rather strange conclusion. Device vendors shouldn't ship devices they never plan to update. If we can't even agree on that... (after the Brian Krebs incident even more so) Also one thing I'd like to point out that I find very strange in this discussion: The demise of SHA-1 was known since 2004. Do these financial vendors use products that are older than 2004? Or have they ignored the issue until 2014 when browser vendors finally started to indicate some action on the issue? The First Data request sent to the cabf list indicates that they started the transition in 2014. -- Hanno Böck https://hboeck.de/ mail/jabber: [email protected] GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
pgp1EidDY0jk3.pgp
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
