On Saturday, October 29, 2016 at 12:02:54 PM UTC-5, Gervase Markham wrote: > The scope of the BRs is debateable. These certs are clearly in scope for > Mozilla policy, as they chain up to trusted roots; however Mozilla > policy does not (yet) ban SHA-1 issuance other than via the BRs. This > may be fixed in policy version 2.3. > > Without tls-server-auth and with other EKUs, these certs would not be > trusted in Firefox. The systemic risks from SHA-1 issuance remain, however. > > Gerv
Gerv, Given the discussions in the past about risks of SHA-1 issuance for *any* cert type, and the responses from action #1c from the March 2016 CA communication, are there any public plans for dealing type of certificate yet? Do these non-server-certs only fall under the BR's sigAlg policy if a generated certificate collision has an EKU of server auth? (And by that time, is it too late?) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy