Changes

This is forbidden by the Baseline Requirements. Issuance of SHA-1 subordinate CA certificates, SSL certificates may be compromised when attackers can create a fake cert that hashes to the same value as one with a legitimate signature, and OCSP responder certificates is hence trusted. Mozilla can mitigate this potential vulnerability forbidden by turning off support for SHA-1 based signatures[https://www. The SHA-1 root certificates don’t necessarily need to be removed from NSS, because the signatures of root certificates are not validated (roots are self-signed)mozilla. Disabling SHAorg/en-1 will impact intermediate and end entity certificates, where the signatures are validated. There are still many end entity certificates that would be impacted if support for SHAUS/about/governance/policies/security-1 based signatures was turned off. Therefore, we are hoping to give CAs time to react, and are planning to turn off support for SHAgroup/certs/policy#51-1 based signatures in 2017algorithms section 5. Note that Mozilla will take this action earlier if needed to keep our users safe.* CAs should not be issuing new SHA-1 certificates, and should be migrating their customers off of SHA-1 intermediate Mozilla's Root Store Policy] and end-entity certificatessection 7.* If a CA still needs to issue SHA-1 certificates for compatibility reasons, then those SHA-1 certificates should expire before 2017.* If you aren't sure whether or not your site is using SHA-1, please see https://shaaaaaaaaaaaaa.com/.* 3 of the [https://blog.mozillacabforum.org/security/2014/09/23/phasing-out-certificates-with-sha-1baseline-basedrequirements-signature-algorithmsdocuments/ Security Blog Post Regarding SHA-1 Based Signature AlgorithmsBaseline Requirements].