Thunderbird 38.5.0 is now available / special notice
R Kent James
kent at caspia.com
Thu Dec 24 16:56:58 UTC 2015
On 12/23/2015 3:59 PM, John L. Jacobs wrote:
> I do have XP SP2 on my network but rarely even powered up. What I find
> difficult to understand is your use of the word "deprecate" in the
> context of MS and SHA1. In my experience, SHA1 has pretty much not be
> used for quite a while in favor of SHA2 (SHA-256). Thuderbird (an old
> version?) is on the XP machine, not being used, would update, data on
> it has been irrelevant for a long time. Let me know what you want are
> looking for.
> I read into this and other communications that TB is in someway going
> to incorporate security certificates???
> John L Jacobs, Retired Network Engineer
> 4105 Primrose Way
> Napa, Ca 94558-1595
> Ph: 415-738-2550
The immediate issue is the signing of Mozilla code, which is necessary
to prevent security warnings from appearing when Firefox or Thunderbird
is installed. This month, the signing is being switched from SHA-1 to
SHA-256, with that schedule forced up against a deadline by the upcoming
deprecation of SHA-1 in modern Windows systems on 2016-01-01. The issue
is complicated by the Mozilla installer, that is used for silent updates
of Firefox and Thunderbird. That also had to be upgraded, and the whole
thing has to be done in two steps. (Bit of a chicken and egg problem
getting existing apps, signed with SHA-1, to recognize SHA-256 before
updated versions, signed with SHA-256, could be released.).
The QA problem is quite tricky, as each version of Microsoft Windows has
a slightly different set of handling of SHA-1 and SHA-256 certificates,
plus it depends on both the system date in the client system, as well as
the system date of the certificate-signing system.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the tb-planning