On Thu, 1 Sep 2016 09:00:38 -0700 "Ryan Sleevi" <r...@sleevi.com> wrote:
> Incident -2: 16 January 2015 - 5 March 2015 - 1,132 BR-violating SHA-1 > certificates ( https://cert.webtrust.org/SealFile?seal=2019&file=pdf ) This was a violation of a "SHOULD NOT" (not a "MUST NOT") issue SHA-1 certificates that expire after 2016. Since issuing SHA-1 certificates was not forbidden in 2015 and the notAfter date is immaterial to the risk of SHA-1 collisions[1], it would be unfair and counterproductive to hold this against WoSign. Regards, Andrew [1] In fact, stockpiling long-lived SHA-1 certs in 2015 would have been vastly better for the ecosystem than using "legacy" roots or requesting an exception in 2016. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
