TrustCor Systems does not use SHA1 for signing of SMIME certificates, ARLs/CRLs, and OCSP responses and would be open to any sunset date. We do support SHA1 hash-types in our OCSP responses.
Joanna Fox Head of Digital Certificate Compliance On Monday, February 7, 2022 at 9:59:47 AM UTC-7 Jeremy Rowley wrote: > DigiCert supports banning SHA1 across the board. We are no longer > supporting SHA1 signatures for services related to certs trusted by > Mozilla. > > > > Jeremy > > *From:* [email protected] <[email protected]> *On Behalf Of > *Ben Wilson > *Sent:* Monday, February 7, 2022 9:43 AM > *To:* [email protected] <[email protected]> > *Subject:* Re: Policy 2.8: MRSP Issue #178: Sunset SHA1 > > > > I feel we need additional input here from Certification Authorities who > have not yet responded. > > > > On Fri, Feb 4, 2022 at 2:08 PM Rob Stradling <[email protected]> wrote: > > Sectigo currently still "sign[s] SHA-1 hashes over CRLs for roots and > intermediates only if they have issued SHA-1 certificates", as permitted by > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#513-sha-1 > . > > > > It would require very little effort for us to reconfigure these roots and > intermediates so that they use SHA-256 instead. > > > > We expect that switching to SHA-256 will bring minimal, perhaps even zero, > disruption to relying parties. Therefore, we'll be happy with whatever > sunset date Mozilla chooses. > > > ------------------------------ > > *From:* [email protected] <[email protected]> on behalf of > Ben Wilson <[email protected]> > *Sent:* 02 February 2022 03:59 > *To:* Ryan Sleevi <[email protected]> > *Cc:* [email protected] <[email protected]> > *Subject:* Re: Policy 2.8: MRSP Issue #178: Sunset SHA1 > > > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > > > > I have emailed CAs in the Mozilla program asking them to respond here. > > > > On Wed, Jan 26, 2022 at 12:41 PM Ryan Sleevi <[email protected]> wrote: > > > > > > On Wed, Jan 26, 2022 at 2:00 PM Ben Wilson <[email protected]> wrote: > > See responses inline below. > > > > On Tue, Jan 25, 2022 at 11:12 PM Ryan Sleevi <[email protected]> wrote: > > It’s not clear: what situations make it appropriate for a CA > communication, versus discussion here? > > > > Yes. It is preferable that discussion take place here. However, a survey > would still be public, as they have been in the past, and the CCADB would > collect all of the responses in a table format. > > > > Oh, for sure :) I just know that the surveys have historically had delays > or had confusion by CAs in interpreting questions, and the survey approach > somewhat predates the m.d.s.p. participation requirement. I totally realize > that it has benefits for bringing direct awareness, but I raise it to try > and understand if the expectation is to always have the two parallel paths > for soliciting feedback, or if it might just be sufficient to email blast > CAs to say "Hey, here's the discussion, to send feedback, please > participate here". That, I think, might achieve the goal of highlighting > the importance, while still centralizing some of the conversation :) Just a > thought > > > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtab2Kvq5i%3D6bzPDaMpguUJFx68MMRSnJMw1s_HDCZ8X9rA%40mail.gmail.com > > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FCA%252B1gtab2Kvq5i%253D6bzPDaMpguUJFx68MMRSnJMw1s_HDCZ8X9rA%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=04%7C01%7Crob%40sectigo.com%7C3f3a63b6d9e04ec7c36a08d9e6006f24%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637793712875801542%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=2K%2BxNilZtKPx94L1dmj%2Fk3HHRUBTeFknWRmsvrTR550%3D&reserved=0> > . > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabsr__yskc6K8%2BDc%3DOQGYp5C-mQBanqeBm67-R3qOQi_w%40mail.gmail.com > > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabsr__yskc6K8%2BDc%3DOQGYp5C-mQBanqeBm67-R3qOQi_w%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/5f506231-d30a-434c-9448-46be5097ae23n%40mozilla.org.
