Re: Update to phasing out SHA-1 Certs

2016-01-18 Thread Richard Barnes
"Failed" might be a bit strong :) We had a temporary setback. Like the blog post says, we're working on more precisely characterizing how widespread and how broken these middleboxes are, before taking steps to re-enable the SHA-1 restrictions. I still think we're on track for turning off SHA-1

Re: Update to phasing out SHA-1 Certs

2016-01-18 Thread Jakob Bohm
On 18/01/2016 16:19, Richard Barnes wrote: "Failed" might be a bit strong :) We had a temporary setback. Like the blog post says, we're working on more precisely characterizing how widespread and how broken these middleboxes are, before taking steps to re-enable the SHA-1 restrictions. I

SHA1 certs issued this year chaining to included roots

2016-01-18 Thread Charles Reiss
Via censys.io, I found a couple SHA-1 certs with notBefore dates from this year which chain to root CAs in Mozilla's program: - https://crt.sh/?id=12089828 -- chains to Baltimore CyberTrust Root [DigiCert] via subCA "Eurida Primary CA" via subCA "DnB NOR ASA PKI Class G" Also, the OCSP responder

Re: Update to phasing out SHA-1 Certs

2016-01-18 Thread Ryan Sleevi
On Mon, January 18, 2016 12:26 pm, Eric Mill wrote: > On Mon, Jan 18, 2016 at 10:19 AM, Richard Barnes > wrote: > > > ... > > > > One thing that has been proposed is to have an exception for local > > roots, > > i.e., to let non-default trust anchors continue to use SHA-1

Re: SHA1 certs issued this year chaining to included roots

2016-01-18 Thread Charles Reiss
On 01/19/16 03:37, Charles Reiss wrote: > On 01/19/16 03:23, Kurt Roeckx wrote: >> On Tue, Jan 19, 2016 at 01:49:21AM +, Charles Reiss wrote: >>> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this >>> year >>> which chain to root CAs in Mozilla's program: >> >> I also

Re: SHA1 certs issued this year chaining to included roots

2016-01-18 Thread Reed Loden
Correct. Sorry, I meant to say "on the Symantec-issued certs". ~reed On Mon, Jan 18, 2016 at 10:55 PM, Eric Mill wrote: > On Mon, Jan 18, 2016 at 10:45 PM, Reed Loden wrote: >> >> https://cabforum.org/pipermail/public/2016-January/006519.html has >> more

Re: SHA1 certs issued this year chaining to included roots

2016-01-18 Thread Reed Loden
https://cabforum.org/pipermail/public/2016-January/006519.html has more information on these certs. ~reed On Mon, Jan 18, 2016 at 10:23 PM, Kurt Roeckx wrote: > On Tue, Jan 19, 2016 at 01:49:21AM +, Charles Reiss wrote: >> Via censys.io, I found a couple SHA-1 certs with

Re: SHA1 certs issued this year chaining to included roots

2016-01-18 Thread Eric Mill
On Mon, Jan 18, 2016 at 10:45 PM, Reed Loden wrote: > https://cabforum.org/pipermail/public/2016-January/006519.html has > more information on these certs. > I don't think that includes the Digicert one, though? > > ~reed > > On Mon, Jan 18, 2016 at 10:23 PM, Kurt Roeckx

Re: Update to phasing out SHA-1 Certs

2016-01-18 Thread Eric Mill
On Mon, Jan 18, 2016 at 11:24 PM, Ryan Sleevi < ryan-mozdevsecpol...@sleevi.com> wrote: > > > There isn't in Chrome, and here's the bug thread where the > > Chrome team denied fervent requests by someone behind an enterprise > > firewall to add MD5 support in behind a command line flag: > >

Re: SHA1 certs issued this year chaining to included roots

2016-01-18 Thread Charles Reiss
On 01/19/16 03:23, Kurt Roeckx wrote: > On Tue, Jan 19, 2016 at 01:49:21AM +, Charles Reiss wrote: >> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this >> year >> which chain to root CAs in Mozilla's program: > > I also have some from C=US,O=VeriSign\,

Re: SHA1 certs issued this year chaining to included roots

2016-01-18 Thread Kurt Roeckx
On Tue, Jan 19, 2016 at 01:49:21AM +, Charles Reiss wrote: > Via censys.io, I found a couple SHA-1 certs with notBefore dates from this > year > which chain to root CAs in Mozilla's program: I also have some from C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at

Re: Update to phasing out SHA-1 Certs

2016-01-18 Thread Richard Barnes
On Mon, Jan 18, 2016 at 11:07 AM, Jakob Bohm wrote: > On 18/01/2016 16:19, Richard Barnes wrote: > >> "Failed" might be a bit strong :) We had a temporary setback. >> >> Like the blog post says, we're working on more precisely characterizing >> how >> widespread and how

Re: Update to phasing out SHA-1 Certs

2016-01-18 Thread Richard Barnes
On Mon, Jan 18, 2016 at 3:26 PM, Eric Mill wrote: > On Mon, Jan 18, 2016 at 10:19 AM, Richard Barnes > wrote: > >> ... >> >> One thing that has been proposed is to have an exception for local roots, >> i.e., to let non-default trust anchors continue to

Re: Update to phasing out SHA-1 Certs

2016-01-18 Thread Jakob Bohm
On 18/01/2016 22:18, Richard Barnes wrote: On Mon, Jan 18, 2016 at 11:07 AM, Jakob Bohm wrote: On 18/01/2016 16:19, Richard Barnes wrote: "Failed" might be a bit strong :) We had a temporary setback. Like the blog post says, we're working on more precisely

Re: Update to phasing out SHA-1 Certs

2016-01-18 Thread Eric Mill
On Mon, Jan 18, 2016 at 10:19 AM, Richard Barnes wrote: > ... > > One thing that has been proposed is to have an exception for local roots, > i.e., to let non-default trust anchors continue to use SHA-1 for some more > time. What do folks here think about that idea? > That