On 05/11/16 13:49, Ryan Sleevi wrote: > As noted elsewhere, the issuance of SHA-1 allows for an attacker to > pivot the contents of the certificates, and the only mitigation is > the EKU on the sub-CA. > > Are you suggesting this is GA because it wasn't clear enough to CA > members at the time this was issued?
It's GA because the Mozilla SHA-1 ban is currently (but see my other message posted today) implemented via the BRs, and because these certs have an EKU but don't have serverAuth, they are pretty clearly not in the scope of the BRs. So we have no policy mechanism to complain. I suspect there are a ton of such email certs out there; it's just that only a few of them happen to make their way into CT and therefore crt.sh. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy