Entrust has already sunset SHA-1 for S/MIME certificates. Entrust will respond to ballot SC53 and will stop using SHA-1 with OCSP responses and will push this requirement to CRLs as well. We have also reached out to our subordinate CAs to advise of the pending change and confirm their current SHA-1 status.
On Thursday, February 3, 2022 at 11:28:33 AM UTC-5 [email protected] wrote: > Hello, > > This is Cybertrust Japan. One of our root CAs uses SHA-1 for CRL signing. > But we would like to sunset the use of SHA1. In fact, our plan is to > retire this SHA-1 Root of SecureSign Root11 and replace it with its > successors. So we are preparing root inclusion requests. > > > Best, > Mo > > 2022年2月3日木曜日 2:35:58 UTC+9 [email protected]: > >> For the sake of completeness: Let's Encrypt / ISRG does not sign SHA-1 >> hashes for any purpose, and would be amenable to any sunset date. >> >> We do accept signatures over SHA-1 hashes of CSRs provided by >> subscribers, and of course accept SHA-1 hashes for the issuerKeyHash and >> issuerNameHash in OCSP requests, but those are not relevant to this >> proposal. >> >> Aaron >> >> On Tuesday, February 1, 2022 at 7:59:37 PM UTC-8 [email protected] >> wrote: >> >>> I have emailed CAs in the Mozilla program asking them to respond here. >>> >>> On Wed, Jan 26, 2022 at 12:41 PM Ryan Sleevi <[email protected]> wrote: >>> >>>> >>>> >>>> On Wed, Jan 26, 2022 at 2:00 PM Ben Wilson <[email protected]> wrote: >>>> >>>>> See responses inline below. >>>>> >>>>> On Tue, Jan 25, 2022 at 11:12 PM Ryan Sleevi <[email protected]> wrote: >>>>> >>>>>> It’s not clear: what situations make it appropriate for a CA >>>>>> communication, versus discussion here? >>>>>> >>>>> >>>>> Yes. It is preferable that discussion take place here. However, a >>>>> survey would still be public, as they have been in the past, and the >>>>> CCADB >>>>> would collect all of the responses in a table format. >>>>> >>>> >>>> Oh, for sure :) I just know that the surveys have historically had >>>> delays or had confusion by CAs in interpreting questions, and the survey >>>> approach somewhat predates the m.d.s.p. participation requirement. I >>>> totally realize that it has benefits for bringing direct awareness, but I >>>> raise it to try and understand if the expectation is to always have the >>>> two >>>> parallel paths for soliciting feedback, or if it might just be sufficient >>>> to email blast CAs to say "Hey, here's the discussion, to send feedback, >>>> please participate here". That, I think, might achieve the goal of >>>> highlighting the importance, while still centralizing some of the >>>> conversation :) Just a thought >>>> >>>> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/b75895bc-37e7-4962-afdb-8841dd8b39c2n%40mozilla.org.
