[cabfpub] Mozilla SHA-1 further restrictions (v3)

Gervase Markham gerv at mozilla.org
Mon Nov 28 14:17:10 UTC 2016

On 28/11/16 13:50, Bruce Morton wrote:
> An issue is that if a SHA-1 intermediate certificate needs an EKU and
> we are not allowed to issue SHA-1 certificates per BR 7.1.3, then
> there is no fix.

All of this is discussing issuance outside the scope of the BRs anyway.
SHA-1 issuance is not permitted for BR-covered certs (except for via the
exception process, and even that should go away at the end of the year).

But you are right in that this policy does not allow for the creation of
new SHA-1 intermediates, which may be necessary in order to meet EKU
restrictions. That needs fixing.

Add a point:

CAs may only sign SHA-1 hashes over intermediate certificates if such
certificates are only used to sign other SHA-1 hashes which comply with
this policy.


More information about the Public mailing list