On 28/10/16 16:11, Patrick Figel wrote: > #7 > Some non-TLS-Server-Auth SHA-1 certificates chaining up to "Certum CA" > (Asseco Data Systems S.A.). Most appear to be S/MIME or TLS client auth > certificates, but I don't think the intermediates have any relevant > technical constraints. I'm not sure if they're in scope for BRs/Mozilla, > but here's the list in any case: > https://crt.sh/?id=26427662&opt=cablint > https://crt.sh/?id=32333872&opt=cablint > https://crt.sh/?id=19594797&opt=cablint > https://crt.sh/?id=24979702&opt=cablint
The scope of the BRs is debateable. These certs are clearly in scope for Mozilla policy, as they chain up to trusted roots; however Mozilla policy does not (yet) ban SHA-1 issuance other than via the BRs. This may be fixed in policy version 2.3. Without tls-server-auth and with other EKUs, these certs would not be trusted in Firefox. The systemic risks from SHA-1 issuance remain, however. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
