On Friday, 15 April 2016 20:26:39 UTC+3, Richard Barnes wrote: > Do you mean SHA-1 for client certificates? For those, the browser isn't > the relying party; it would be up to the website to decide whether a SHA-1 > client certificate is acceptable.
But the browser still needs to "support" the certificates. Given the somewhat fragile state of client certificate authentication (keygen removal, "x509 UX is ugly" etc), maybe it might be useful to have a baseline profile for client certificates as well? What if I used 512 bit RSA keys? MD5? Shall a browser or some other client side system intervene? Drawing a reasonable line with reasonable dates might be helpful to the community as a whole. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
