Confirm
344
edits
Changes
Added Feb 2022 CA Communication
The following are communications that have been sent to Certification Authorities participating in [[CA | Mozilla's root program.]] If you have questions regarding these communications, please first review related discussions in the mozilla.dev.security.policy forum. If your questions cannot be answered in that forum, then please send email to certificates@mozilla.org.
== February 2022 CA Communication ==
Dear Certification Authority,
Mozilla is engaged in policy review discussions to sunset the use of SHA1 for signing by CAs of CRLs, OCSP responses, and SMIME certificates.
See https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/CnVjV-bFcyI/m/TFuWOy2BAwAJ
(Server certificate signing is governed by the Baseline Requirements, and effective June 1, 2022, OCSP responses related to server certificates cannot be signed with SHA1.)
One proposal is to remove SHA1 from the list of allowed signing algorithms altogether, but before we do this, I would like your proposed sunset dates for the different types of SHA1 signing you might currently perform--SMIME certificates, ARLs/CRLs, and OCSP responses for SMIME certificates.
Please participate in this important topic, which is already underway on the Mozilla dev-security-policy list. Let us know about your specific concerns and hurdles that would need to be overcome.
(Some CAs have expressed willingness to quickly convert over to SHA256, while others have expressed that it is not a simple task and will require additional development work.)
Thanks,
Ben Wilson (bwilson@mozilla.com)
Mozilla Root Store Program
== April 2021 CA Communication ==
