On 24/02/17 07:08, blake.mor...@trustis.com wrote: > Certificates for the HMRC SET Service are issued from the SHA-1 “FPS > TT Issuing Authority”, which is now only used for this service. The > replacement server certificate for hmrcset.trustis.com was issued > from the FPS TT IA, via a manual process under the mistaken belief > that this was necessary for this particular service to operate > correctly.
And presumably under the further mistaken belief that "necessary for this particular service to operate correctly" was a good enough reason to disregard the SHA-1 ban? > Trustis has some time ago, migrated all TLS certificate production to > SHA-256 Issuing Authorities. The small number of previously issued > SHA-1 TLS certificates issued from “FPS TT”, that had lifetimes > extending beyond 1 Jan 2017, were revoked towards the end of 2016. Except the one in use on hmrcset.trustis.com? It's not clear how the certificate-nearing-expiry for that domain fits into the last sentence of the paragraph above. > As a result of the investigation the security management committee > has made a number of recommendations. Principal amongst these is > enhanced training and oversight for technical staff that deal with > unique certificates or certificate management in complex > circumstances that are not part of standard operations. Have you deleted, locked or otherwise made unavailable all SHA-1 profiles which relate to intermediates which chain up to publicly trusted roots? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy