On Thu, Oct 06, 2016 at 08:22:20AM +0200, Hanno Böck wrote: > On Wed, 5 Oct 2016 22:46:24 -0700 > Peter Bowen <pzbo...@gmail.com> wrote: > > > I think we can all look back with 20/20 hindsight and say that device > > vendors should not use the same roots as browsers and that maybe CAs > > should have created "SHA-1 forever" roots for devices that never plan > > to update, but that is great hindsight. We have the problem now, so we > > need an answer. > > I find that a rather strange conclusion. > Device vendors shouldn't ship devices they never plan to update. If we > can't even agree on that... (after the Brian Krebs incident even more > so) > > Also one thing I'd like to point out that I find very strange in this > discussion: The demise of SHA-1 was known since 2004. > > Do these financial vendors use products that are older than 2004? Or > have they ignored the issue until 2014 when browser vendors finally > started to indicate some action on the issue?
I think everybody ignored this until around 2013. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy