[cabfpub] Mozilla SHA-1 further restrictions (v5)

Gervase Markham gerv at mozilla.org
Tue Jan 31 09:49:37 MST 2017


On 30/01/17 19:16, Bruce Morton wrote:
> Can you provide some clarification on how this will be
> implemented/imposed? 

It will become part of our Root Store Policy (probably with an
implementation deadline).

> What would be good to know is if the CA does not
> comply to the new Mozilla SHA-1 restrictions is this a policy
> compliance issue or will this mean the certificate issued will not be
> trusted by Firefox?

It would be a compliance issue. Newer versions of Firefox are moving to
not trust SHA-1 certificates at all anyway. Of course, this doesn't
affect people still using old versions, and it doesn't affect email, and
it doesn't consider the effects on the broader ecosystem of continued
SHA-1 use. All of these mean that a policy-based approach is appropriate
in addition to a technical one.

Gerv


More information about the Public mailing list