- Original Message -
From: Chris Palmer pal...@google.com
To: Chris Egeland ch...@chrisegeland.com
Cc: mozilla-dev-security-pol...@lists.mozilla.org
dev-security-policy@lists.mozilla.org
Sent: Wednesday, 24 September, 2014 11:53:58 PM
Subject: Re: Security Blog about SHA-1
Also, there's no problem (from a Chrome UX perspective) because
Mozilla's certificate expires on 7 December 2015 — well before that
bad 1 Jan 2017 date, and even before the dodgy 1 Jan 2016 date.
http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html
SHA-1 signature algorithms are not per se bad right now; what's bad is
certificate chains using SHA-1 that will/would be valid too far in the
future. Between now and 1 Jan 2016, and between then and 1 Jan 2017,
there is plenty of time to get a new certificate, signed with a
SHA-256-based signature function.
It's debatable if the 2016 date is good. NIST doesn't agree
but yes, as far as Internet certs go, mozilla one is not so bad
--
Regards,
Hubert Kario
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
