On 2016-11-15 18:00, Peter Bowen wrote:
On Tue, Nov 15, 2016 at 7:25 AM, Kurt Roeckx <[email protected]> wrote:
- If it's an enterprise root they need to switch to SHA-2
This is a lot easier said than done for many organizations. Depending
on the CA software this might be a small configuration change or might
involve a very large software upgrade. I think the key question here
is whether Firefox will have an option to do two things:
1) Continue to accept signatures over SHA-1 hashes for end-entity certificates
2) Continue to accept signatures over SHA-1 hashes for CA certificates
in the chain
While these may seem similar (in fact from a crypto risk perspective
#2 is probably worse than #1), they frequently represent different
amounts of work required to mitigate for organizations.
The other option would be that Firefox adds an option to allow SHA-1 for
things that are in the trust store but are not in the default trust store.
Kurt
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
