Re: Applicability of SHA-1 Policy to Timestamping CAs

2019-03-25 Thread Jakob Bohm via dev-security-policy
On 25/03/2019 23:42, Wayne Thayer wrote: > My general sense is that we should be doing more to discourage the use of > SHA-1 rather than less. I've just filed an issue [1] to consider a ban on > SHA-1 S/MIME certificates in the future. > > On Mon, Mar 25, 2019 at 10:54 AM Jakob Bohm via

Re: Applicability of SHA-1 Policy to Timestamping CAs

2019-03-25 Thread Wayne Thayer via dev-security-policy
My general sense is that we should be doing more to discourage the use of SHA-1 rather than less. I've just filed an issue [1] to consider a ban on SHA-1 S/MIME certificates in the future. On Mon, Mar 25, 2019 at 10:54 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org>

Re: Applicability of SHA-1 Policy to Timestamping CAs

2019-03-25 Thread Jakob Bohm via dev-security-policy
On 23/03/2019 02:03, Wayne Thayer wrote: > On Fri, Mar 22, 2019 at 6:54 PM Peter Bowen wrote: > >> >> >> On Fri, Mar 22, 2019 at 11:51 AM Wayne Thayer via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >>> I've been asked if the section 5.1.1 restrictions on SHA-1

Re: Applicability of SHA-1 Policy to Timestamping CAs

2019-03-22 Thread Wayne Thayer via dev-security-policy
On Fri, Mar 22, 2019 at 6:54 PM Peter Bowen wrote: > > > On Fri, Mar 22, 2019 at 11:51 AM Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> I've been asked if the section 5.1.1 restrictions on SHA-1 issuance apply >> to timestamping CAs. Specifically,

Re: Applicability of SHA-1 Policy to Timestamping CAs

2019-03-22 Thread Peter Bowen via dev-security-policy
On Fri, Mar 22, 2019 at 11:51 AM Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I've been asked if the section 5.1.1 restrictions on SHA-1 issuance apply > to timestamping CAs. Specifically, does Mozilla policy apply to the > issuance of a SHA-1 CA

Re: Applicability of SHA-1 Policy to Timestamping CAs

2019-03-22 Thread Wayne Thayer via dev-security-policy
Thanks Andrew and Ryan. I can certainly see the intent to implement a comprehensive ban on SHA-1 with the "sign SHA-1 hashes" language in section 5.1.1. This implies that section 5.1.1 overrides the scope statement in section 1.1of our policy. However, it is also apparent that S/MIME is

Re: Applicability of SHA-1 Policy to Timestamping CAs

2019-03-22 Thread Ryan Sleevi via dev-security-policy
On Fri, Mar 22, 2019 at 4:00 PM Andrew Ayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Fri, 22 Mar 2019 12:50:43 -0600 > Wayne Thayer via dev-security-policy > wrote: > > > I've been asked if the section 5.1.1 restrictions on SHA-1 issuance > > apply to

Re: Applicability of SHA-1 Policy to Timestamping CAs

2019-03-22 Thread Andrew Ayer via dev-security-policy
On Fri, 22 Mar 2019 12:50:43 -0600 Wayne Thayer via dev-security-policy wrote: > I've been asked if the section 5.1.1 restrictions on SHA-1 issuance > apply to timestamping CAs. Specifically, does Mozilla policy apply to > the issuance of a SHA-1 CA certificate asserting only the > timestamping

RE: Applicability of SHA-1 Policy to Timestamping CAs

2019-03-22 Thread Doug Beattie via dev-security-policy
GlobalSign concurs. -Original Message- From: dev-security-policy On Behalf Of Wayne Thayer via dev-security-policy Sent: Friday, March 22, 2019 2:51 PM To: mozilla-dev-security-policy Subject: Applicability of SHA-1 Policy to Timestamping CAs I've been asked if the section 5.1.1