[cabfpub] Mozilla SHA-1 further restrictions (v4)

Tim Shirley TShirley at trustwave.com
Thu Jan 12 19:34:36 UTC 2017

>    CAs may only sign SHA-1 hashes over issuing intermediates which chain
>    up to roots in Mozilla's program if the certificate to be signed is a
>    duplicate of an existing SHA-1 intermediate certificate with the only
>    change being the addition of an EKU to meet the requirements outlined above.

Besides EKU, I presume this should also list adding the pathlen:0 constraint if it was previously absent.  It would probably be good to include serial number as well, so no one could interpret this as a requirement to duplicate a serial number.


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

More information about the Public mailing list