On 30/12/08 22:16, Nelson B Bolyard wrote:
Paul Hoffman wrote, On 2008-12-30 12:43:
Well, of course, it's not the signature on the root CA cert itself that
matters. It's the signature algorithm used on the certs issued by the
root. And the issuer is always free to change that whenever they wish.
(Maybe they would have to change their CP/CPS if they did that.) No
change to the trust anchor itself is required.
That is as I understood (and I was surprised at Paul's comment, it seems
backwards?)
Either way, is there any difficulty with announcing today that NSS is
going to deprecate MD5 and earlier algorithms, totally, for all
purposes, including Firefox and Thunderbird.
(Leave off the date as to when the rejection will take effect.)
The point is not when NSS does it, or when Firefox does it, but when all
the CAs stop issuing them, and replace them. The more noise we make
now, the earlier they are likely to act.
(figure out a date later...)
I propose it be announced today if not sooner !
Votes, disagreements?
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
