On Fri, Mar 22, 2019 at 6:54 PM Peter Bowen <pzbo...@gmail.com> wrote:
> > > On Fri, Mar 22, 2019 at 11:51 AM Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> I've been asked if the section 5.1.1 restrictions on SHA-1 issuance apply >> to timestamping CAs. Specifically, does Mozilla policy apply to the >> issuance of a SHA-1 CA certificate asserting only the timestamping EKU and >> chaining to a root in our program? Because this certificate is not in >> scope >> for our policy as defined in section 1.1, I do not believe that this would >> be a violation of the policy. And because the CA would be in control of >> the >> entire contents of the certificate, I also do not believe that this action >> would create an unacceptable risk. >> >> I would appreciate everyone's input on this interpretation of our policy. >> > > Do you have any information about the use case behind this request? Are > there software packages that support a SHA-2 family hash for the issuing CA > certificate for the signing certificate but do not support SHA-2 family > hashes for the timestamping CA certificate? > I was simply asked if our policy does or does not permit this, so I can only speculate that the use case involves code signing that targets an older version of Windows. If the person who asked the question would like to send me specifics, I'd be happy to relay them to the list. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
