On 16/12/2016 12:22, Hanno Böck wrote:
On Fri, 16 Dec 2016 02:51:47 +0100
Jakob Bohm <[email protected]> wrote:
[Snip: Discussion of potential odd client bug]
...
I wonder if Let's Encrypt ever issued SHA-1 certificates, and if any
of those are non-expired.
Almost certainly not. Given 3 month lifetime of certs this would have
been either a violation of the baseline requirements or an agreed upon
exception. Neither of which I'm aware of, and I'm pretty sure if one of
that happened it would've made some noise.
I wrote that in the part you snipped. The possibility that remains
would be SHA-1 Intermediary CA certs issued before Jan 1, 2016 and not
yet expired. Some of those may have a longer lifetime so they can
(indirectly) sign OCSP responses and CRLs with SHA-1 without violating
the BRs.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
