Today, Mozilla is publishing an additional document containing further research into the back-dating of SHA-1 certificates, in violation of the CAB Forum Baseline Requirements, to avoid browser blocks. It also contains some conclusions we have drawn from the recent investigations, and a proposal for discussion regarding the action that Mozilla's root program should take in response.
Because this document is extensive and contains embedded images, links and formatting, I have published it on Google Docs instead of as an email message here: https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/edit However, this forum is the appropriate place for discussing it. Please feel free to cut and paste any parts you wish to quote and comment on. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy