Re: SHA-1 S/MIME certificates

2016-03-30 Thread Andrew R. Whalley
On Wed, Mar 30, 2016 at 2:23 PM, Kathleen Wilson wrote: > On 3/30/16 1:53 PM, Jeremy Rowley wrote: > >> I think a required move away from SHA1 client certs requires a bit more >> planning. >> >> 1) There hasn't been a formal deprecation of all SHA-1 certificates in >> any

Re: SHA-1 S/MIME certificates

2016-03-30 Thread Kathleen Wilson
On 3/30/16 1:53 PM, Jeremy Rowley wrote: I think a required move away from SHA1 client certs requires a bit more planning. 1) There hasn't been a formal deprecation of all SHA-1 certificates in any root store policy. There has been a formal deprecation by the CAB Forum of SHA1 server

Re: SHA-1 S/MIME certificates

2016-03-30 Thread Jakob Bohm
On 30/03/2016 22:53, Jeremy Rowley wrote: I think a required move away from SHA1 client certs requires a bit more planning. 1) There hasn't been a formal deprecation of all SHA-1 certificates in any root store policy. There has been a formal deprecation by the CAB Forum of SHA1 server

RE: SHA-1 S/MIME certificates

2016-03-30 Thread Jeremy Rowley
I think a required move away from SHA1 client certs requires a bit more planning. 1) There hasn't been a formal deprecation of all SHA-1 certificates in any root store policy. There has been a formal deprecation by the CAB Forum of SHA1 server certificates. Considering many of the client cert

Re: SHA-1 S/MIME certificates

2016-03-30 Thread Jakob Bohm
On 30/03/2016 18:49, Kathleen Wilson wrote: All, In response to the 'March 2016 CA Communication' I received the following question from a CA. I think we should discuss it here, because I suspect there will be other CAs in this same situation. > We have a problem since we still issue SHA-1

Re: SHA-1 S/MIME certificates

2016-03-30 Thread Kathleen Wilson
I am, indeed, receiving this question from multiple CAs. As for responding to the survey, note that Action #1a and Action #1b ask for dates regarding SHA-1 SSL certs (unless their included root certs do not have the Websites trust bit set). "ACTION #1a: ... Please enter the last date that a

SHA-1 S/MIME certificates

2016-03-30 Thread Kathleen Wilson
All, In response to the 'March 2016 CA Communication' I received the following question from a CA. I think we should discuss it here, because I suspect there will be other CAs in this same situation. > We have a problem since we still issue SHA-1 S/MIME > certificates. Do we really have to

Re: ComSign Root Renewal Request

2016-03-30 Thread Eli Spitzer
On Wednesday, March 30, 2016 at 4:36:44 AM UTC+3, Andrew Whalley wrote: > Hello Jesus, > > Great points! > > > Reviewing the BR audit report of Comsign Ltd I have a few doubts regarding > > the audits accepted by Mozilla and may someone can help me. > > > > The BR audit was conducted according

Re: A-Trust Root Renewal Request

2016-03-30 Thread Andrew Whalley
Hello, Given the numerous problems discovered so far, including several that contract the explicit declaration made to Mozilla [1], I would not feel comfortable supporting the application at this juncture. My next step would be to go though the CP/CPS with a fine-tooth comb, but alas my