Hi We're already having some discussions about SHA-1, but I'll split this up into a new thread.
The initial goal of bug 942515 was to mark certs as insecure, that are valid 'notBefore >= 2016-01-01' (means issued to use in 2016+) AND also for certs that are valid 'notAfter >= 2017-1-1' (means still valid in 2017+). The first condition has been implemented, but there are some 'compatibility' issues with MITM software. [1] The second condition has not been implemented, but it was already announced [2] and also considered to set the cut-off a half year earlier to the July 1, 2016. If this should really happen, we need to hurry up on this discussion. Of course the problem mentioned in [1] should be solved first. Regards, Jonas [1] https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-with-increased-security/ [2] https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ [3] https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/
signature.asc
Description: OpenPGP digital signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto