Re: SHA-1 Phase-out

2016-11-22 Thread Gervase Markham
On 21/11/16 20:29, Myers, Kenneth (10421) wrote: > I've been trying to stay on top of the SHA-1 phase-out discussion but > lost track. Where did it leave off? I drafted a potential update to Mozilla's policy which was discussed here, and has now moved to the CAB Forum public list for f

Re: SHA-1 Phase-out

2016-11-21 Thread Myers, Kenneth (10421)
Hi Gerv, I've been trying to stay on top of the SHA-1 phase-out discussion but lost track. Where did it leave off? I think I saw something of doing a ban at the browser level to not trust the SHA-1 algorithm. Is this possible? Kenneth Myers Manager +1.571.366.6120 +1.703.299.3046 fax

Re: SHA-1 Phase-out

2016-11-16 Thread Gervase Markham
On 16/11/16 09:08, Kurt Roeckx wrote: > The other option would be that Firefox adds an option to allow SHA-1 for > things that are in the trust store but are not in the default trust store. AIUI, that is going to be the default behaviour. Gerv ___

Re: SHA-1 Phase-out

2016-11-16 Thread Kurt Roeckx
On 2016-11-15 18:00, Peter Bowen wrote: On Tue, Nov 15, 2016 at 7:25 AM, Kurt Roeckx wrote: - If it's an enterprise root they need to switch to SHA-2 This is a lot easier said than done for many organizations. Depending on the CA software this might be a small configuration

Re: SHA-1 Phase-out

2016-11-15 Thread Peter Bowen
On Tue, Nov 15, 2016 at 7:25 AM, Kurt Roeckx wrote: > > - If it's an enterprise root they need to switch to SHA-2 This is a lot easier said than done for many organizations. Depending on the CA software this might be a small configuration change or might involve a very large

Re: SHA-1 Phase-out

2016-11-15 Thread Kurt Roeckx
On 2016-11-15 16:19, Gervase Markham wrote: On 15/11/16 12:20, jansomar...@gmail.com wrote: I would step in to your discussion if you don't mind. My question is very similar to the original one but in regards to internal usage of SHA-1 signed certs. We are running large number of network devs

Re: SHA-1 Phase-out

2016-11-15 Thread jansomartin
Hello Guys, I would step in to your discussion if you don't mind. My question is very similar to the original one but in regards to internal usage of SHA-1 signed certs. We are running large number of network devs acting as a proxy and users need to authenticate in order to access some of the

Re: SHA-1 Phase-out

2016-10-12 Thread Nick Lamb
On Wednesday, 12 October 2016 14:50:22 UTC+1, Gervase Markham wrote: > However, we would counsel all sites to move > away from SHA-1 as the user experience will be as bad as the security. A message I've seen from some security vendors, that I don't want us reinforcing, is the idea that the

SHA-1 Phase-out

2016-10-12 Thread Konstantinos Tsimaris
Hi Security team, I have 2 questions which I would be grateful if you can help. I have seen various posts mentioning that after 1 of January 2017, browsers will stop support of SHA1 signed CAs. I am looking into a way to identify which WEB sites will not work until new certificate is applied and