Right but that's a very vague and general statement. Why won't an old root work? Which root store are they using? Did they actually try MD5 certs that are automatically blocked? All of the details about what's been tried are unknown.
-----Original Message----- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Wednesday, February 24, 2016 9:11 AM To: Jeremy Rowley; Rob Stradling; mozilla-dev-security-pol...@lists.mozilla.org Cc: Kathleen Wilson; Richard Barnes Subject: Re: Proposed limited exception to SHA-1 issuance On 24/02/16 15:45, Jeremy Rowley wrote: > I think Rob's questions are great and should be answered before deciding. > Many CAs have roots and can issue certs that browsers will simply reject. > There may be a simple way to provide them certs without issuing a ton > of SHA1s that are placed on OneCRL. As noted during the CAB Forum meeting where this was discussed: they have 200,000+ devices affected, and the "use an old or decommissioned or otherwise non-BR root" plan works with 90% of them, but not all. That was plan A, and it didn't work. We are now on plan B. Gerv
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
