GlobalSign concurs. -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Wayne Thayer via dev-security-policy Sent: Friday, March 22, 2019 2:51 PM To: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Applicability of SHA-1 Policy to Timestamping CAs
I've been asked if the section 5.1.1 restrictions on SHA-1 issuance apply to timestamping CAs. Specifically, does Mozilla policy apply to the issuance of a SHA-1 CA certificate asserting only the timestamping EKU and chaining to a root in our program? Because this certificate is not in scope for our policy as defined in section 1.1, I do not believe that this would be a violation of the policy. And because the CA would be in control of the entire contents of the certificate, I also do not believe that this action would create an unacceptable risk. I would appreciate everyone's input on this interpretation of our policy. - Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
