Am Freitag, 15. September 2017 16:25:36 UTC+2 schrieb Gervase Markham: > On 15/09/17 13:55, [email protected] wrote: > > technically the CA now is disabled to sign certificates using SHA1 > > But presumably you thought that was true before this incident? (And if > not, why not?) > > Gerv Sorry, Gerv, for the delay in answer – Conny is currently in holidays.
In fact, an SHA-1 signature for all operations was previously excluded on function level. Unfortunately, after this exclusion, a new "reissuing" function was developed, which was initially only operationally tested with a few customers. SwissSign had so far no reissuing on offer. The reissue was intended for SHA-2 leaf certificates only. But in this case, this reissue was incorrectly applied to an SHA-1 certificate. Now we have also switched off the reissuing function, but additionally the entire Issuing CA is now configured in a way to prohibit SHA-1 exhibitions. This means the “lock” now operates at level Issuing CA and no longer at the level of a single function. Reinhard Dietrich SwissSign _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
