Gervase Markham <g...@mozilla.org> writes: >Mozilla is very keen to see SHA-1 eliminated, but understands that for >historical reasons poor decisions were made in private PKIs about which roots >to trust, and such decisions are not easily remedied.
I'm curious about what's going on here, as you say this is a private PKI, so why do they need certs from a public CA? Presumably Worldpay is doing this for B2B comms, so why don't they issue their own certs, and they can keep using SHA-1 for as long as required? It seems like Worldpay's mistake wasn't failing to update SHA-1 only devices, it was using a public CA for a private PKI. Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
