On Fri, Mar 22, 2019 at 11:51 AM Wayne Thayer via dev-security-policy < [email protected]> wrote:
> I've been asked if the section 5.1.1 restrictions on SHA-1 issuance apply > to timestamping CAs. Specifically, does Mozilla policy apply to the > issuance of a SHA-1 CA certificate asserting only the timestamping EKU and > chaining to a root in our program? Because this certificate is not in scope > for our policy as defined in section 1.1, I do not believe that this would > be a violation of the policy. And because the CA would be in control of the > entire contents of the certificate, I also do not believe that this action > would create an unacceptable risk. > > I would appreciate everyone's input on this interpretation of our policy. > Do you have any information about the use case behind this request? Are there software packages that support a SHA-2 family hash for the issuing CA certificate for the signing certificate but do not support SHA-2 family hashes for the timestamping CA certificate? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
