I would suggest requiring all new roots approved to state that they do not and will not use MD5 in any newly-minted certificate (except possibly in a configuration like the TLS pseudo-random function).
This is not yet policy, though it should be. (FWIW, this was known two years ago.) -Kyle H On Tue, Dec 30, 2008 at 8:39 AM, Chris Hills <c...@chaz6.com> wrote: > A presentation was given at this year's Chaos Communication Congress in > which it was described how researchers were apparently able to produce > authentic signed SSL certificates thanks to a handful of CAs who rely on > MD5. If true, is it time to disable MD5 by default? > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
