On Wed, 1 Mar 2017 00:44:54 -0800 (PST) benjaminpill--- via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> are root (Enterprise) CA certificates wich are based on SHA1 handled > as untrusted by Firefox 51? The end certificate is sign using sha256 > and trusted by a intermidiate ca wich uses also sha256. Only the root > ca is based on sha1. Chrome and IE are not complaining about the root > cert. The signatures on root certificates are mostly irrelevant, as they're pure self-signatures that have no real meaning. I think they're only there because the certificate format X.509 requires certificates to have a signature on themselve. Therefore afaik it's generally considered okay if root certificates have SHA1 signatures. You probably wouldn't create new ones with such signatures, but there is no risk for the ecosystem in keeping existing ones. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy