On Tue, Nov 15, 2016 at 7:25 AM, Kurt Roeckx <k...@roeckx.be> wrote: > > - If it's an enterprise root they need to switch to SHA-2
This is a lot easier said than done for many organizations. Depending on the CA software this might be a small configuration change or might involve a very large software upgrade. I think the key question here is whether Firefox will have an option to do two things: 1) Continue to accept signatures over SHA-1 hashes for end-entity certificates 2) Continue to accept signatures over SHA-1 hashes for CA certificates in the chain While these may seem similar (in fact from a crypto risk perspective #2 is probably worse than #1), they frequently represent different amounts of work required to mitigate for organizations. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy