On 07/11/16 13:11, Phillip Hallam-Baker wrote: > Not long after I was sitting in a conference at NIST listening to a talk on > how shutting down DigiNotar had shut down the port of Amsterdam and left > meat rotting on the quays etc. Ooops.
Sounds like someone got a lesson in single points of failure, cert agility and so on. Let's hope they took it. I'm not sure I totally understand your point. You are saying that it's not reasonable to eliminate SHA-1 from the publicly trusted hierarchies entirely because there are devices out there which are not going to be upgraded and which don't support SHA-256, and further that these devices are not web devices and so we shouldn't be purporting to control their crypto? > None of the current browser versions support SHA-1. Yes, they do. They won't as of January 2017. > If digest functions are so important, perhaps the industry should be > focusing on deployment of SHA-3 as a backup in case SHA-2 is found wanting > in the future. https://yourlogicalfallacyis.com/black-or-white . This is not either/or. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy