I'd prefer a requirement for long serial numbers over a total ban on SHA-1 Sub CAs. The BRs state 112 bits of entropy, so I'd recommend using that for non BR certificates (assuming client applications don't have issues with that).
Doug -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+doug.beattie=globalsign....@lists.mozilla.org] On Behalf Of Gervase Markham Sent: Monday, November 7, 2016 8:53 AM To: Nick Lamb; [email protected] Subject: Re: Implementing a SHA-1 ban via Mozilla policy > Another economic tactic would be to require CAs to use long random > serial numbers even in non-BR certificates. How long would you say is long enough? Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
