> > What constitutes a 'documented compatibility reason'? Is the intent to > > create a very limited scope backed by hard data, or is "Windows XP > > (pre-SP3)" a 'documented compatibility reason'? I would like to > > continue to provide SHA-1 signed OCSP responses and CRLs for all > > certificates in GoDaddy's SHA-1 hierarchies (root - intermediate - and > > EE certs are all SHA-1), but if the intent is to prevent that with > > this bullet, then I'd like to make it clear here - perhaps by > > requiring approval rather than just documenting. > > Are such roots still trusted by Mozilla?
By your own definition, I believe so because they are "hierarchies chaining up to our embedded roots". While no EE certs issued from these roots will be "trusted" come January (they're all SHA-1), I'm not aware of any immediate plans for Mozilla to remove SHA-1 roots. Is that the path you're suggesting, and if so how do you see the timing working out? _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
