Comment 55 for bug 312536
Revision history for this message
|
|
#55 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
Julien, there is no agreement that MD5 should be universally disabled,
or even disabled for all cert signatures. By some estimates, turning off
support for MD5 now would break 10-20% of https web sites.
Mozilla should work with the other browser vendors to have them all agree
to publish a drop-dead date for MD5, and we can drop it at that point.
The scope of this bug is specifically about the use of certain hashes in
signatures processed by NSS's higher layers. The scope excludes other
non-signature uses of these hashes, and excludes use of Softoken without
using libNSS3.
It's true that the patch here does nothing to prevent programs that use
Softoken by itself from using Softoken's MD2 and MD4/5, but that is outside
the scope of this bug.
If you want to disable all uses of MD2, 4 & 5 in Softoken, please file a
bug for that.
If you want to disable all uses of MD2, 4 & 5 for things other than
signatures, please file a bug for that.