On Wed, Nov 13, 2013 at 6:37 AM, Jan Schejbal <jan.schejbal_n...@gmx.de>wrote:
> Am 2013-11-13 13:47, schrieb Gervase Markham: > > We could update our program requirements to be identical to theirs, but > > the effect on actual CA operations would be fairly small, I fancy - > > because they are all doing it anyway. Is that what you are suggesting, > > or something else? > > Wouldn't it make sense to add this in the CAB Forum Baseline Requirements? > Not really. Putting a commitment in the Baseline requirements is necessary to break a deployment deadlock situation where browser providers can't act without support from CAs and CAs can't act without the browser providers taking the first step. Once it is clear that SHA-1 certs are not going to work on a large number of browsers, demand for such certificates is going to fall rapidly. The only people left using SHA-1 certs are going to be a handful of corner case non-browser applications who mostly understand the risks of their approach. I don't mind shooting those folk in the foot if that is the only way to get a change to happen in the wider browser use case but I don't think it is necessary to shoot them in the foot just for the sake of it. One major consequence of this change is going to be that a huge number of older browsers will just stop working with SSL. Which is good for browser providers and CAs but is likely to require some people to upgrade their computer so they can run a modern OS. It is also likely to brick a large number of cell phones as far as online commerce goes. The second is actually a big concern in large parts of the world where renting a mobile phone with Internet access is many people's way of earning a living. -- Website: http://hallambaker.com/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
