[cabfpub] Ballot 118 - SHA1 Sunset

Gervase Markham gerv at mozilla.org
Wed Oct 29 16:02:25 UTC 2014

On 28/10/14 17:37, Rick Andrews wrote:
> Firefox and Chromium do not check CRLs, but Google parses some CRLs to
> build its CRLSets, and Mozilla plans to do something similar with
> OneCRL. So both companies rely on CRLs, and it would be helpful to know
> that switching the CRL for a SHA-1 root from SHA-1 to SHA-2 will not
> cause any problems.

The code for OneCRL is not yet written; I think we would be very foolish
if we wrote it to accept only SHA-1-signed CRLs.

> Mozilla’s blog is helpful, but it says nothing about CRL use (for
> OneCRL) or OCSP responses.

If you want an even more definitive answer than Ryan's (which seemed
pretty clear to me), mozilla.dev.tech.crypto is where the people with
the answers hang out. Of course, that includes Ryan :-)


More information about the Public mailing list