Ubuntu
firefox package

Bug #312536
Comment #33

Comment 33 for bug 312536

Revision history for this message

In Mozilla Bugzilla #471539, Johnath (johnath) wrote on 2009-01-09:

#33

(In reply to comment #26)
> 1) Is Mozilla willing to disable MD5 cert signatures and "break the web"
> unilaterally, even if it drives users to IE?
>
> Johnathan, as Mozilla's representative to CABForum, have you broached this
> subject with the other browser representatives there?
>
> I have so many things on my plate now that I must prioritize my work
> carefully. Until I see that either
> a) the browsers are willing to act in concert on this, and collectively
> announce a date on which they will desupport it, or
> b) someone speaking for Mozilla says here that Mozilla is willing to
> unilaterally "break the web",
> I don't think this bug is really urgent.

I have spoken with the CABForum about this issue. The message I gave the CAs there (not all CAs by a long shot, but representing the vast majority of issued certs on the public web) is that while we still need to have our own community discussions about the specifics, we consider MD5 to be on the way out. I told them we were unlikely to kill it tomorrow, but that no CA should be counting on support for MD5 to last. I suggested a general ballpark for retirement at 6-18 months, very much dependent on the state of deployed certificates on the web. I asked the CAs if that was a surprising answer, and a few confirmed that this was as they expected. The rest may need to consult counsel before they can answer a question like that. :)

I have spoken to MS and Opera (Apple is not a member of the CABForum and George Staikos from Konqueror/Torch Mobile was not on the call) and while I am most decidedly not speaking for them, I got the impression that they were considering similar approaches and timelines.

If they weren't though, and we were otherwise satisfied that the state of the deployed web (and the state of MD5) was such that we felt comfortable making the change, I don't feel that we would wait for other browsers to do so first.

Making my policy thoughts here into concrete policy action is not really for this bug, of course. I hope it clarifies the state of my thinking, anyhow. How does that impact your estimation of priority?

> How's that sound?

From a distance, the API description sounds good.

(In reply to comment #26)
> 1) Is Mozilla willing to disable MD5 cert signatures and "break the web" 
> unilaterally, even if it drives users to IE?  
> 
> Johnathan, as Mozilla's representative to CABForum, have you broached this
> subject with the other browser representatives there?  
> 
> I have so many things on my plate now that I must prioritize my work 
> carefully.  Until I see that either
> a) the browsers are willing to act in concert on this, and collectively
> announce a date on which they will desupport it, or
> b) someone speaking for Mozilla says here that Mozilla is willing to 
> unilaterally "break the web",
> I don't think this bug is really urgent.

I have spoken with the CABForum about this issue. The message I gave the CAs there (not all CAs by a long shot, but representing the vast majority of issued certs on the public web) is that while we still need to have our own community discussions about the specifics, we consider MD5 to be on the way out.  I told them we were unlikely to kill it tomorrow, but that no CA should be counting on support for MD5 to last. I suggested a general ballpark for retirement at 6-18 months, very much dependent on the state of deployed certificates on the web.  I asked the CAs if that was a surprising answer, and a few confirmed that this was as they expected.  The rest may need to consult counsel before they can answer a question like that.  :)

> How's that sound?

From a distance, the API description sounds good.

Ubuntufirefox package

Comment 33 for bug 312536

Ubuntu
firefox package