Ben Bucksch wrote: > I propose to announce that we'll stop supporting MD5 in 3 months, and > ask website owners to get new certs.
On the basis of any known risk? The current attack requires the attacker to be able to get a cert signed for a key they control. If all CAs stop using MD5 (which they should have following this disclosure) then the attack mechanism is closed off. I agree MD5 is unsafe and needs to be phased out, but given that there is no current threat, we need to balance speed and inconvenience (both to sites, and to users when they sites they want to visit stop working). Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
