----- Original Message ----- > From: "Chris Palmer" <pal...@google.com> > To: "Chris Egeland" <ch...@chrisegeland.com> > Cc: "mozilla-dev-security-pol...@lists.mozilla.org" > <dev-security-policy@lists.mozilla.org> > Sent: Wednesday, 24 September, 2014 11:53:58 PM > Subject: Re: Security Blog about SHA-1 > > Also, there's no problem (from a Chrome UX perspective) because > Mozilla's certificate expires on 7 December 2015 — well before that > bad 1 Jan 2017 date, and even before the dodgy 1 Jan 2016 date. > > http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html > > SHA-1 signature algorithms are not per se bad right now; what's bad is > certificate chains using SHA-1 that will/would be valid too far in the > future. Between now and 1 Jan 2016, and between then and 1 Jan 2017, > there is plenty of time to get a new certificate, signed with a > SHA-256-based signature function.
It's debatable if the 2016 date is good. NIST doesn't agree.... but yes, as far as Internet certs go, mozilla one is not so bad -- Regards, Hubert Kario _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
