[cabfpub] Proposal of a SHA-1 exception procedure

Gervase Markham gerv at mozilla.org
Tue Jun 21 12:38:36 UTC 2016

On 17/06/16 20:17, Ryan Sleevi wrote:
> For Google, the procedure we laid out is one that, so far, we think best
> represents the balance between the ecosystem participants. That includes
> the necessary disclosures and information so that we can gather
> information necessary to avoid such situations in the future, while
> having the necessary transparency for us effectively accepting, on
> behalf of the Internet trust ecosystem, the security risks.
> It's useful to know what Apple/Mozilla/Opera/Qihoo360 think, as well as
> any other root store program that may be presented with such audits.

Mozilla is generally supportive of the extent and depth of the questions
outlined in Google's draft procedure. We don't see a problem with
different root programs having different requirements as long as none of
them are actively conflicting; the CAB Forum's role in this situation
would be to produce the superset of all the requirements, so that
applicants can provide all the information required by the different
programs in one go.


More information about the Public mailing list