On 03/11/16 04:25, [email protected] wrote: > Gerv, Given the discussions in the past about risks of SHA-1 issuance > for *any* cert type, and the responses from action #1c from the March > 2016 CA communication, are there any public plans for dealing type of > certificate yet?
As in, do we have plans for banning SHA-1 issuance outright? Not at the moment, because there are lots of complex edge cases. A good step which provides much of the same protections is to simply stop accepting them, which we plan to do in January next year (for publicly-trusted roots). > Do these non-server-certs only fall under the BR's > sigAlg policy if a generated certificate collision has an EKU of > server auth? (And by that time, is it too late?) Like I said, the scope of the BRs is debateable. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
