1. Make sure that SHA-2 hashes work in CertID 2. Test that SHA-2 signatures are accepted. 3. Ensure that we send the preferred signature algorithm extension in our OCSP requests (http://tools.ietf.org/html/rfc6960#section-4.4.7).
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Depends on: 915931
Priority: -- → P4
Created attachment 8390145 [details] [diff] [review] patch I rebased this on top of bug 969048 since it's about to land (once bug 915932 lands and sticks, which it looks like it will), but the only conflict should be with the telemetry tests. One thing to note is that since bug 663315 hasn't been finished, sha-2 is not supported in NSS/classic verification.
It will be a few days before I get to this. AFAICT, this is new functionality beyond the NSS-based verifier and I also want to write unit tests in bug 966856 for this.
Summary: Add SHA-2 support to insanity::pkix's OCSP implementation → Add SHA-2 support to mozilla::pkix's OCSP implementation
Comment on attachment 8390145 [details] [diff] [review] patch This has probably bit-rotted quite a bit. Clearing review until we need this.
See Also: → bug 943624
David, is there any chance of this happening soon? I think it would be great if we started moving towards a world where you don't need to implement SHA-1 at all. This is the last place on, AFAICT, where SHA-1 is required, after servers upgrade to TLS 1.2 with SHA-2 based certs.
I'll see what I can do. I agree this would be a good thing to do.
I'm not actively working on this at the moment.
Assignee: dkeeler → nobody
Status: ASSIGNED → NEW
You need to log in before you can comment on or make changes to this bug.