CA/Forbidden or Problematic Practices: Difference between revisions

Jump to navigation Jump to search

CA/Forbidden or Problematic Practices (view source)

Revision as of 22:06, 31 January 2019

1,113 bytes removed ,  31 January 2019
Removed obsolete text
(updated referenced section numbers and quotes)
(Removed obsolete text)
Line 48: Line 48:
=== Issuance of SHA-1 Certificates ===
=== Issuance of SHA-1 Certificates ===


This is forbidden by the Baseline Requirements.
Issuance of SHA-1 subordinate CA certificates, SSL certificates, and OCSP responder certificates is forbidden by [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#51-algorithms section 5.1 of Mozilla's Root Store Policy] and section 7.1.3 of the [https://cabforum.org/baseline-requirements-documents/ Baseline Requirements].
 
SHA-1 certificates may be compromised when attackers can create a fake cert that hashes to the same value as one with a legitimate signature, and is hence trusted. Mozilla can mitigate this potential vulnerability by turning off support for SHA-1 based signatures. The SHA-1 root certificates don’t necessarily need to be removed from NSS, because the signatures of root certificates are not validated (roots are self-signed). Disabling SHA-1 will impact intermediate and end entity certificates, where the signatures are validated.
 
There are still many end entity certificates that would be impacted if support for SHA-1 based signatures was turned off. Therefore, we are hoping to give CAs time to react, and are planning to turn off support for SHA-1 based signatures in 2017. Note that Mozilla will take this action earlier if needed to keep our users safe.
* CAs should not be issuing new SHA-1 certificates, and should be migrating their customers off of SHA-1 intermediate and end-entity certificates.
* If a CA still needs to issue SHA-1 certificates for compatibility reasons, then those SHA-1 certificates should expire before 2017.
* If you aren't sure whether or not your site is using SHA-1, please see https://shaaaaaaaaaaaaa.com/.
* [https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ Security Blog Post Regarding SHA-1 Based Signature Algorithms]


=== Delegation of Domain / Email Validation to Third Parties ===
=== Delegation of Domain / Email Validation to Third Parties ===
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1206991"

Navigation menu