I think you may have buried the lede a little bit here, Rick :-) The questions are:
* Does NSS correctly handle the case where a SHA-1 root signs a SHA-2 CRL or OCSP response? * Which version of Firefox first supported SHA-2? I believe the answer to the first question is Yes; NSS doesn't care what the signature algorithm used on the root is. Ever. The answer to the second question is: in NSS before April 2003. https://bugzilla.mozilla.org/show_bug.cgi?id=167605 http://www-archive.mozilla.org/projects/security/pki/nss/nss-3.8/nss-3.8-release-notes.html Firefox 1.0 was released 10 years ago on Sunday, on 9th November 2004. So it almost certainly had SHA-256 support. Although I'm not sure how this bug plays in; perhaps Brian or someone else can say: https://bugzilla.mozilla.org/show_bug.cgi?id=663315 Gerv -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
