Am Mittwoch, 1. März 2017 11:18:48 UTC+1 schrieb Hanno Böck: > On Wed, 1 Mar 2017 00:44:54 -0800 (PST) > benjaminpill--- via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > > are root (Enterprise) CA certificates wich are based on SHA1 handled > > as untrusted by Firefox 51? The end certificate is sign using sha256 > > and trusted by a intermidiate ca wich uses also sha256. Only the root > > ca is based on sha1. Chrome and IE are not complaining about the root > > cert. > > The signatures on root certificates are mostly irrelevant, as they're > pure self-signatures that have no real meaning. I think they're > only there because the certificate format X.509 requires certificates to > have a signature on themselve. > > Therefore afaik it's generally considered okay if root certificates have > SHA1 signatures. You probably wouldn't create new ones with such > signatures, but there is no risk for the ecosystem in keeping existing > ones. > > -- > Hanno Böck > https://hboeck.de/ > > mail/jabber: ha...@hboeck.de > GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
so why is Firefox complaining with this error message: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy