tl;dr? Avoid SHA-1 certificate chains.https://twitter.com/simonsteiner/status/598852621995216896 …
@sleevi_ @ivanristic New root would itself need to be cross-signed, a catch-22. I don't think there's a way for a CA to not "botch" this.
-
-
@__agwa@ivanristic Also, important to separate out cross-signed roots (which aren't really an issue if client actually trusts roots) from -
@__agwa@ivanristic multiply-signed intermediates (which aren't as TAs, are cached, and are wholly in the CAs control). -
@__agwa@ivanristic For example,@Entrust did have a doubly-signed intermediate (L1C), which caused issues. Solution? SHA-256 L1K cert and -
@__agwa@ivanristic reaching out to their customers to make sure things worked. "Easy" fix. StartSSL, on the other hand, keeps issuing off -
@__agwa@ivanristic their doubly-signed SHA-1/SHA-256 root, thus causing problems for every new issuance and perpetuating the issue
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.