[cabfpub] Mozilla SHA-1 further restrictions

Wayne Thayer wthayer at godaddy.com
Mon Nov 21 19:45:05 UTC 2016

> > What constitutes a 'documented compatibility reason'? Is the intent to
> > create a very limited scope backed by hard data, or is "Windows XP
> > (pre-SP3)" a 'documented compatibility reason'? I would like to
> > continue to provide SHA-1 signed OCSP responses and CRLs for all
> > certificates in GoDaddy's SHA-1 hierarchies (root - intermediate - and
> > EE certs are all SHA-1), but if the intent is to prevent that with
> > this bullet, then I'd like to make it clear here - perhaps by
> > requiring approval rather than just documenting.
> Are such roots still trusted by Mozilla?

By your own definition, I believe so because they are "hierarchies chaining up to our embedded roots". While no EE certs issued from these roots will be "trusted" come January (they're all SHA-1), I'm not aware of any immediate plans for Mozilla to remove SHA-1 roots. Is that the path you're suggesting, and if so how do you see the timing working out?

More information about the Public mailing list