On 08/11/16 13:44, Doug Beattie wrote: > GlobalSign generated some SHA-1 CAs earlier this year as part of > normal CA lifecycle management.
Hi Doug, This is helpful information - can you post it to the bug? https://bugzilla.mozilla.org/show_bug.cgi?id=1315018 > Why did we not technically constrain these CAs? - Adding EKU to CAs > can have unintended consequences, especially in older applications. > Since we don't know all the applications that are using the > email/client auth certificates it's risk we didn't want to take. You may want to do some testing, then, as this is certainly a potential component of the new SHA-1 policy - see other thread. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
