Remember the DigiNotar incident? At the time, I thought that pulling the DigiNotar roots was exactly the right thing to do. I didn't say so as it isn't proper for people to be suggesting putting their competitors out of business. But I thought it the right thing to do.
Not long after I was sitting in a conference at NIST listening to a talk on how shutting down DigiNotar had shut down the port of Amsterdam and left meat rotting on the quays etc. Ooops. The WebPKI is a complicated infrastructure that is used in far more ways than any of us is aware of. And when it was being developed it wasn't clear what the intended scope of use was. So it isn't very surprising that it has been used for a lot of things like point of sale terminals etc. It is all very well saying that people shouldn't have done these things after the facts are known. But right now, I don't see any program in place telling people in the IoT space what they should be doing for devices that can't be upgraded in the field. None of the current browser versions support SHA-1. Yes, people could in theory turn it back on for some browsers but that isn't an argument because the same people can edit their root store themselves as well. Yes people are still using obsolete versions of Firefox etc. but do we really think that SHA-1 is the weakest point of attack? If digest functions are so important, perhaps the industry should be focusing on deployment of SHA-3 as a backup in case SHA-2 is found wanting in the future. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy