[cabfpub] Ballot 118 - SHA1 Sunset
Gervase Markham
gerv at mozilla.org
Wed Oct 29 09:02:25 MST 2014
On 28/10/14 17:37, Rick Andrews wrote:
> Firefox and Chromium do not check CRLs, but Google parses some CRLs to
> build its CRLSets, and Mozilla plans to do something similar with
> OneCRL. So both companies rely on CRLs, and it would be helpful to know
> that switching the CRL for a SHA-1 root from SHA-1 to SHA-2 will not
> cause any problems.
The code for OneCRL is not yet written; I think we would be very foolish
if we wrote it to accept only SHA-1-signed CRLs.
> Mozilla’s blog is helpful, but it says nothing about CRL use (for
> OneCRL) or OCSP responses.
If you want an even more definitive answer than Ryan's (which seemed
pretty clear to me), mozilla.dev.tech.crypto is where the people with
the answers hang out. Of course, that includes Ryan :-)
Gerv
More information about the Public
mailing list