
Postponing the Retirement of SHA-1 - jonbaer
http://www.infoq.com/news/2015/12/retiring-SHA-1
======
jvehent
Ryan Sleevi, of the Chrome PKI team, has written a much more detailed analysis
of the Cloudflare proposal and its caveats. I recommend you read them before
voicing an opinion on this topic, because it is a complex one.

1\. [https://medium.com/@sleevi_/a-history-of-hard-
choices-c1e1cc...](https://medium.com/@sleevi_/a-history-of-hard-
choices-c1e1cc9bb089#.mdfi0lung)

2\. [https://medium.com/@sleevi_/legacy-verified-legacy-
solutions...](https://medium.com/@sleevi_/legacy-verified-legacy-
solutions-15eb688716e4#.uioly27l9)

Today is the last day to get SHA-1 certs issued. We, at Mozilla, stocked up on
SHA-1 certs that expire 39 months from now, so we can keep serving old clients
up until March 2019 using cert switching technology. Most organizations that
want to keep supporting old clients have done similar things. Smaller
companies typically don't care about old clients, and most likely already
broke compatibility with them by using various modern web stacks.

~~~
yuhong
Chrome BTW plans to remove pre-Win7 support in early 2016. I was pushing for
Firefox to at least remove XP SP2 support in 2016.

~~~
colejohnson66
Why not pre-Vista? Besides the bad rap because driver developers took
advantage of undocumented features (among other reasons), how is it different
architecturally from 7? Internally, Vista and up are all NT 6.x releases (XP
was 5.x): Vista was 6.0, 7 was 6.1, 8 was 6.2, etc.

~~~
toast0
Windows Vista has fewer users than XP, so if you're OK with the consequences
of dropping support for XP to simplify your life, you should be ok dropping
Vista too. Same thing with dropping IE7 at the same time as IE6.

Added: yes, you could use this argument to say you don't need to support
Windows 10 either, but Windows 10 is probably going to get more users over
time, as opposed to Vista. Windows 8.0 is also less than XP, but since 7 and
8.1 are big, it's probably not a great idea to leave a hole in your supported
os chart.

~~~
RaleyField
> so if you're OK with the consequences of dropping support for XP to simplify
> your life

XP is EOL, Vista is not. XP users ought not to connect to the internet.

------
ryanlol
No better way to make people migrate than breaking things.

~~~
Strom
This isn't really about developed countries and grumpy corporate device
policies, it's more about very poor people and their really old second hand
feature phones. These are people who use the same device for 5, even 10 years
and don't really have the resources to replace them more frequently.

~~~
ryanlol
I hope facebook at least displays a big red constantly visible warning banner
to those users.

