Jakob Bohm via dev-security-policy <dev-security-policy@lists.mozilla.org> writes:
>Indeed, I strongly suspect Microsoft *customers* combined with Microsoft >untrustworthiness (they officially closed their Trustworthy Computing >initiative!) may be the major hold out, specifically: > >1. [...] 5. Microsoft has SHA-1 deeply hardcoded into their cert-management infrastructure, and in some places it can't be replaced. For example their NDES cert management server replies to a SHA-2 request with a SHA-1 response that can't be decrypted, implying that it's never even been tested with SHA-2. If you submit an MD5 request then everything works as expected (as does SHA-1). That's MD5, in 2017. Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy