On 03/11/16 21:17, Jakob Bohm wrote: > Note that the GlobalSign SHA-1 intermediaries chain only to their old > SHA-1 root which is (I believe) not used for any SHA-256 certs, except > a cross-cert that signs their current SHA-256 root.
Nevertheless, it is still in Mozilla's trust store. > So I suspect the intent of GlobalSign is that the old SHA-1 root should > loose its ServerAuth trust bit around 2017-01-01, reducing it to a > SHA-1-forever root trusted only by old SHA-1-only systems and maybe for > e-mail (because some non-Mozilla e-mail clients were very late to > supporting SHA-2 e-mail signatures). If this were true, a) that's not good enough, as SHA-1 issuance has been banned by the BRs since 2016-01-01, and b) they would have needed to file a bug for this trust change long ago, and I can't find one. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy