On Thu, Sep 01, 2016 at 07:48:23PM +0800, Man Ho (Certizen) wrote: > > On 9/1/2016 6:13 PM, Matt Palmer wrote: > > You might want to let them know it's time to get new certs. > > > > - Matt > We did inform all subscribers back in October 2014 that SHA-1 SSL server > cert was CEASED since 1 January 2016, and reminded each of them > individually that SHA-1 SSL server cert will no longer be trusted by > browsers starting from 1 January 2017. Some of them might have replaced > their SHA-1 SSL server cert by new cert (either from us or other CA, I > don't know), without letting us know to revoke their SHA-1 SSL server > cert. Some of them might want to keep using their SHA-1 SSL server cert > until its expiry, which is still well before the well-known deadline 1 > January 2017. I believe that their rights to use SHA-1 SSL server cert > before deadline should not be affected.
They're within their rights to use it, but if Mozilla's going to blacklist the intermediate, they're not going to get the results they want from the product you sold them. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
