On 1/9/09 12:51 PM, Johnathan Nightingale wrote: > - Do the work to arm ourselves so that when we are confident pulling > the trigger, we can actually do so with minimal changes (in case it > happens in a point release, for instance) > - Establish our feelings around how much of the net we are comfortable > invalidating if we kill an algorithm > - Establish a timeline we think is compatible with that
Is it possible to disable the MD5 algorigthm for EV certificate chains sooner than for regular (DV) certificate chains? Or even disable SHA1 for EV chains and require SHA-256? We would at least be increasing the trust factor for EV, if not the whole web. Perhaps it would help if we had some additional information such as: what is the maximum certificate expiration time? That is, if all CAs stopped using MD5 *today* and switched to SHA-256, how long would it be before there were no unexpired certificates? Is that the upper bound on how long it would be before we could disable MD5 and SHA1? --BDS _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
