Hi Ben,
GlobalSign supports banning SHA-1 across the board. We no longer supporting SHA-1 signatures for services related to certs trusted by Mozilla except for the "GlobalSign Root CA" CRL and we plan to change that over prior to September. We use SHA-1 for other purposes such as accepting SHA-1 hashes in CSRs, for the issuerKeyHash and issuerNameHash in OCSP requests, and in computing and validating subjectkeyidentifer and issuerkeyidentifier values. Doug From: [email protected] <[email protected]> On Behalf Of Ben Wilson Sent: Monday, February 7, 2022 11:43 AM To: [email protected] <[email protected]> Subject: Re: Policy 2.8: MRSP Issue #178: Sunset SHA1 I feel we need additional input here from Certification Authorities who have not yet responded. On Fri, Feb 4, 2022 at 2:08 PM Rob Stradling <[email protected] <mailto:[email protected]> > wrote: Sectigo currently still "sign[s] SHA-1 hashes over CRLs for roots and intermediates only if they have issued SHA-1 certificates", as permitted by https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#513-sha-1. It would require very little effort for us to reconfigure these roots and intermediates so that they use SHA-256 instead. We expect that switching to SHA-256 will bring minimal, perhaps even zero, disruption to relying parties. Therefore, we'll be happy with whatever sunset date Mozilla chooses. _____ From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > on behalf of Ben Wilson <[email protected] <mailto:[email protected]> > Sent: 02 February 2022 03:59 To: Ryan Sleevi <[email protected] <mailto:[email protected]> > Cc: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > Subject: Re: Policy 2.8: MRSP Issue #178: Sunset SHA1 CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. I have emailed CAs in the Mozilla program asking them to respond here. On Wed, Jan 26, 2022 at 12:41 PM Ryan Sleevi <[email protected] <mailto:[email protected]> > wrote: On Wed, Jan 26, 2022 at 2:00 PM Ben Wilson <[email protected] <mailto:[email protected]> > wrote: See responses inline below. On Tue, Jan 25, 2022 at 11:12 PM Ryan Sleevi <[email protected] <mailto:[email protected]> > wrote: It’s not clear: what situations make it appropriate for a CA communication, versus discussion here? Yes. It is preferable that discussion take place here. However, a survey would still be public, as they have been in the past, and the CCADB would collect all of the responses in a table format. Oh, for sure :) I just know that the surveys have historically had delays or had confusion by CAs in interpreting questions, and the survey approach somewhat predates the m.d.s.p. participation requirement. I totally realize that it has benefits for bringing direct awareness, but I raise it to try and understand if the expectation is to always have the two parallel paths for soliciting feedback, or if it might just be sufficient to email blast CAs to say "Hey, here's the discussion, to send feedback, please participate here". That, I think, might achieve the goal of highlighting the importance, while still centralizing some of the conversation :) Just a thought -- You received this message because you are subscribed to the Google Groups "[email protected] <mailto:[email protected]> " group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtab2Kvq5i%3D6bzPDaMpguUJFx68MMRSnJMw1s_HDCZ8X9rA%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabsr__yskc6K8%2BDc%3DOQGYp5C-mQBanqeBm67-R3qOQi_w%40mail.gmail.com <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabsr__yskc6K8%2BDc%3DOQGYp5C-mQBanqeBm67-R3qOQi_w%40mail.gmail.com?utm_medium=email&utm_source=footer> . -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/PUZPR03MB612999714B7DD2E8BF2D68D4F02D9%40PUZPR03MB6129.apcprd03.prod.outlook.com.
smime.p7s
Description: S/MIME cryptographic signature
