Hello all, Google Trust Services does not sign SHA-1 hashes over any data. We are fine with any sunset date as it will not affect our practices.
Google Trust Services On Monday, February 7, 2022 at 5:43:27 PM UTC+1 [email protected] wrote: > I feel we need additional input here from Certification Authorities who > have not yet responded. > > On Fri, Feb 4, 2022 at 2:08 PM Rob Stradling <[email protected]> wrote: > >> Sectigo currently still "sign[s] SHA-1 hashes over CRLs for roots and >> intermediates only if they have issued SHA-1 certificates", as permitted by >> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#513-sha-1 >> . >> >> It would require very little effort for us to reconfigure these roots and >> intermediates so that they use SHA-256 instead. >> >> We expect that switching to SHA-256 will bring minimal, perhaps even >> zero, disruption to relying parties. Therefore, we'll be happy with >> whatever sunset date Mozilla chooses. >> >> ------------------------------ >> *From:* [email protected] <[email protected]> on behalf of >> Ben Wilson <[email protected]> >> *Sent:* 02 February 2022 03:59 >> *To:* Ryan Sleevi <[email protected]> >> *Cc:* [email protected] <[email protected]> >> *Subject:* Re: Policy 2.8: MRSP Issue #178: Sunset SHA1 >> >> >> CAUTION: This email originated from outside of the organization. Do not >> click links or open attachments unless you recognize the sender and know >> the content is safe. >> >> I have emailed CAs in the Mozilla program asking them to respond here. >> >> On Wed, Jan 26, 2022 at 12:41 PM Ryan Sleevi <[email protected]> wrote: >> >> >> >> On Wed, Jan 26, 2022 at 2:00 PM Ben Wilson <[email protected]> wrote: >> >> See responses inline below. >> >> On Tue, Jan 25, 2022 at 11:12 PM Ryan Sleevi <[email protected]> wrote: >> >> It’s not clear: what situations make it appropriate for a CA >> communication, versus discussion here? >> >> >> Yes. It is preferable that discussion take place here. However, a survey >> would still be public, as they have been in the past, and the CCADB would >> collect all of the responses in a table format. >> >> >> Oh, for sure :) I just know that the surveys have historically had delays >> or had confusion by CAs in interpreting questions, and the survey approach >> somewhat predates the m.d.s.p. participation requirement. I totally realize >> that it has benefits for bringing direct awareness, but I raise it to try >> and understand if the expectation is to always have the two parallel paths >> for soliciting feedback, or if it might just be sufficient to email blast >> CAs to say "Hey, here's the discussion, to send feedback, please >> participate here". That, I think, might achieve the goal of highlighting >> the importance, while still centralizing some of the conversation :) Just a >> thought >> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtab2Kvq5i%3D6bzPDaMpguUJFx68MMRSnJMw1s_HDCZ8X9rA%40mail.gmail.com >> >> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FCA%252B1gtab2Kvq5i%253D6bzPDaMpguUJFx68MMRSnJMw1s_HDCZ8X9rA%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=04%7C01%7Crob%40sectigo.com%7C3f3a63b6d9e04ec7c36a08d9e6006f24%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637793712875801542%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=2K%2BxNilZtKPx94L1dmj%2Fk3HHRUBTeFknWRmsvrTR550%3D&reserved=0> >> . >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/4f6c3987-d292-4094-b7b2-a8639808a0b5n%40mozilla.org.
