"Failed" might be a bit strong :) We had a temporary setback.
Like the blog post says, we're working on more precisely characterizing how
widespread and how broken these middleboxes are, before taking steps to
re-enable the SHA-1 restrictions. I still think we're on track for turning
off SHA-1
On 18/01/2016 16:19, Richard Barnes wrote:
"Failed" might be a bit strong :) We had a temporary setback.
Like the blog post says, we're working on more precisely characterizing how
widespread and how broken these middleboxes are, before taking steps to
re-enable the SHA-1 restrictions. I
Via censys.io, I found a couple SHA-1 certs with notBefore dates from this year
which chain to root CAs in Mozilla's program:
- https://crt.sh/?id=12089828 -- chains to Baltimore CyberTrust Root [DigiCert]
via subCA "Eurida Primary CA" via subCA "DnB NOR ASA PKI Class G"
Also, the OCSP responder
On Mon, January 18, 2016 12:26 pm, Eric Mill wrote:
> On Mon, Jan 18, 2016 at 10:19 AM, Richard Barnes
> wrote:
>
> > ...
> >
> > One thing that has been proposed is to have an exception for local
> > roots,
> > i.e., to let non-default trust anchors continue to use SHA-1
On 01/19/16 03:37, Charles Reiss wrote:
> On 01/19/16 03:23, Kurt Roeckx wrote:
>> On Tue, Jan 19, 2016 at 01:49:21AM +, Charles Reiss wrote:
>>> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this
>>> year
>>> which chain to root CAs in Mozilla's program:
>>
>> I also
Correct. Sorry, I meant to say "on the Symantec-issued certs".
~reed
On Mon, Jan 18, 2016 at 10:55 PM, Eric Mill wrote:
> On Mon, Jan 18, 2016 at 10:45 PM, Reed Loden wrote:
>>
>> https://cabforum.org/pipermail/public/2016-January/006519.html has
>> more
https://cabforum.org/pipermail/public/2016-January/006519.html has
more information on these certs.
~reed
On Mon, Jan 18, 2016 at 10:23 PM, Kurt Roeckx wrote:
> On Tue, Jan 19, 2016 at 01:49:21AM +, Charles Reiss wrote:
>> Via censys.io, I found a couple SHA-1 certs with
On Mon, Jan 18, 2016 at 10:45 PM, Reed Loden wrote:
> https://cabforum.org/pipermail/public/2016-January/006519.html has
> more information on these certs.
>
I don't think that includes the Digicert one, though?
>
> ~reed
>
> On Mon, Jan 18, 2016 at 10:23 PM, Kurt Roeckx
On Mon, Jan 18, 2016 at 11:24 PM, Ryan Sleevi <
ryan-mozdevsecpol...@sleevi.com> wrote:
>
> > There isn't in Chrome, and here's the bug thread where the
> > Chrome team denied fervent requests by someone behind an enterprise
> > firewall to add MD5 support in behind a command line flag:
>
>
On 01/19/16 03:23, Kurt Roeckx wrote:
> On Tue, Jan 19, 2016 at 01:49:21AM +, Charles Reiss wrote:
>> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this
>> year
>> which chain to root CAs in Mozilla's program:
>
> I also have some from C=US,O=VeriSign\,
On Tue, Jan 19, 2016 at 01:49:21AM +, Charles Reiss wrote:
> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this
> year
> which chain to root CAs in Mozilla's program:
I also have some from C=US,O=VeriSign\, Inc.,OU=VeriSign Trust
Network,OU=Terms of use at
On Mon, Jan 18, 2016 at 11:07 AM, Jakob Bohm wrote:
> On 18/01/2016 16:19, Richard Barnes wrote:
>
>> "Failed" might be a bit strong :) We had a temporary setback.
>>
>> Like the blog post says, we're working on more precisely characterizing
>> how
>> widespread and how
On Mon, Jan 18, 2016 at 3:26 PM, Eric Mill wrote:
> On Mon, Jan 18, 2016 at 10:19 AM, Richard Barnes
> wrote:
>
>> ...
>>
>> One thing that has been proposed is to have an exception for local roots,
>> i.e., to let non-default trust anchors continue to
On 18/01/2016 22:18, Richard Barnes wrote:
On Mon, Jan 18, 2016 at 11:07 AM, Jakob Bohm wrote:
On 18/01/2016 16:19, Richard Barnes wrote:
"Failed" might be a bit strong :) We had a temporary setback.
Like the blog post says, we're working on more precisely
On Mon, Jan 18, 2016 at 10:19 AM, Richard Barnes
wrote:
> ...
>
> One thing that has been proposed is to have an exception for local roots,
> i.e., to let non-default trust anchors continue to use SHA-1 for some more
> time. What do folks here think about that idea?
>
That
15 matches
Mail list logo