Nelson B Bolyard wrote:
However, Izenpe may want to consider only including the SHA1 root because many of their customers may be using operating systems that don’t yet support SHA256.
<snip>
I think that covers all the considerations that would go into a decision of whether to include only a SHA1-based cert, or whether to include a newer SHA256 cert. I will stop short of making a recommendation for Izenpe in this case.
Kathleen, I think the best approach is to present Izenpe with Nelson's analysis (for which, thanks!) and let them decide. Personally I think the potential downside from including the SHA-256 root is pretty small.
Frank -- Frank Hecker hec...@mozillafoundation.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto