Confirm, administrator
5,526
edits
Changes
→Dates for Phasing out MD5-based signatures and 1024-bit moduli
# CAs may request that their legacy roots be disabled or removed from NSS earlier, according to the [[CA:Root_Change_Process | Root Change Process]]
# There were some long-lived certs that were issued before this policy was put in place; as long as caveat #1 and #2 have not happened and there is no evidence of breaches regarding these certs, these certs may be allowed to expire before the root is removed.
# Turning off support of < 2048-bit certs is dependent on a code change to build all validation paths. Currently, cross-signing depends on the notAfter/notBefore dates of the certificates in question (which one was issued later). Only one path is built, and if the wrong path is built, the code won't try to build another path. We will need to have the code build all paths, and check another path when the first path fails.
=== Background ===
