On Wednesday, 12 October 2016 14:50:22 UTC+1, Gervase Markham wrote: > However, we would counsel all sites to move > away from SHA-1 as the user experience will be as bad as the security.
A message I've seen from some security vendors, that I don't want us reinforcing, is the idea that the SHA-1 certificates themselves are a security problem and "upgrading" to a SHA-256 certificate improves security. I think bank notes (outside the US) are a useful analogy. Sometimes the central bank may begin issuing a new note with improved anti-forgery features. To ensure forgers can't just keep making the old, more easily forged notes, these are eventually withdrawn from general use once enough of the new are in circulation. It would be a mistake to try to "improve" the security of your business by swapping all its cash for the latest notes. The new notes aren't "more secure" in a way that affects you, you haven't improved anything by doing this. Your business should pay attention to notices from the bank about new notes coming into circulation and about old ones being withdrawn, and make appropriate plans, but so long as it does that there's no problem. Web PKI Subscribers should be switching to SHA-1 because their Issuer requires it. CA/B rules make that clear, compliance seems to be pretty good but browser vendors like Mozilla are taking out insurance against the possibility that somebody, somewhere, made a mistake. In my view for ordinary subscribers in the Web PKI it's primarily a compatibility issue, rather than a security issue. Off the Web PKI, in private systems, the risk/ reward may look very different. If your PKI only issues certificates on a sight basis to a handful of trusted individuals suddenly the chosen prefix attack doesn't look like a real security risk at all so SHA-1 seems fine. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
