I've been asked if the section 5.1.1 restrictions on SHA-1 issuance apply to timestamping CAs. Specifically, does Mozilla policy apply to the issuance of a SHA-1 CA certificate asserting only the timestamping EKU and chaining to a root in our program? Because this certificate is not in scope for our policy as defined in section 1.1, I do not believe that this would be a violation of the policy. And because the CA would be in control of the entire contents of the certificate, I also do not believe that this action would create an unacceptable risk.
I would appreciate everyone's input on this interpretation of our policy. - Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy