On 05/21/2009 03:46 AM, Nelson Bolyard:
Also related, in bug #490895 VeriSign has requested inclusion of the
SHA-1 version of their roots to replace the corresponding old MD5
version of their roots. At the time of inclusion of the SHA-1 version
of the roots, is there any reason to keep the old MD5 version of the
roots in NSS?
Yes, it solves the same potential problem for Verisign, namely that a
server might send out a chain with the "other" root.
Kathleen posted in this comment
https://bugzilla.mozilla.org/show_bug.cgi?id=490895#c8 that this is also
a reason to keep a MD2 root in NSS even though a SHA1 root is going to
replace it. I'm not sure if this was the conclusion of this discussion,
but I'd suggest not to do that. Also current discussions elsewhere
indicate that those algorithms should be yanked pretty soonish.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
