From 2d7f0c30d34a4f8128e25eb87b0400be812f336b Mon Sep 17 00:00:00 2001
From: source <source@cacert.org>
Date: Thu, 8 Jul 2010 14:05:50 +0000
Subject: [PATCH] MD5/SHA1 migration explained

git-svn-id: http://svn.cacert.org/CAcert/Policies@1961 14b1bab8-4ef6-0310-b690-991c95c89dfd
---
 CertificationPracticeStatement.html | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/CertificationPracticeStatement.html b/CertificationPracticeStatement.html
index 22e443a..e6ad9fc 100755
--- a/CertificationPracticeStatement.html
+++ b/CertificationPracticeStatement.html
@@ -2961,7 +2961,9 @@ No limitation is placed on Subscriber key sizes.
 <p>
 CAcert X.509 root and intermediate keys are currently 4096 bits.
 X.509 roots use RSA and sign with the SHA-1 message digest algorithm.
+Certificates have been signed until 2004 with MD5, since 2005 SHA-1 or better algorithms are used.
 See <a href="#p4.3.1">&sect;4.3.1</a>.
+
 </p>
 
 <p>
@@ -2974,15 +2976,6 @@ in line with general cryptographic trends,
 and as supported by major software suppliers.
 </p>
 
-  <ul class="q">
-    <li> old Class 3 SubRoot is signed with MD5 </li>
-    <li> likely this will clash with future plans of vendors to drop acceptance of MD5</li>
-    <li> Is this a concern? </li>
-    <li> to users who have these certs, a lot? </li>
-    <li> to audit, not much? </li>
-  </ul>
-
-
 <h4><a name="p6.1.6" id="p6.1.6">6.1.6. Public key parameters generation and quality checking</a></h4>
 
 <p>