[cabfpub] Proposal of a SHA-1 exception procedure
gerv at mozilla.org
Fri Jun 17 15:35:07 UTC 2016
On 16/06/16 20:05, Dean Coclin wrote:
> If I said, “Dean Coclin’s Really Valuable Credit Card Processing Center”
> is using a SHA-1 certificate, isn’t that like painting a target on me?
Well, is it?
If “Dean Coclin’s Really Valuable Credit Card Processing Center”
continues to have faith in SHA-1 to protect credit cards, why are they
coy about declaring that they are using it? And if they no longer have
such faith, a) why are they asking for a new cert, and b) there are
plenty of other ways that an attacker could discover that they are using
it; leaving the information off here is security by obscurity.
More information about the Public