Browsers aren't the only applications using SSL certificates
It's all very well saying "just upgrade your browser / OS", but there are also other uses of SSL certs. For example, I recently heard of an outage on an "Internet of Things" application where the client components could not handle SHA-2 certificates and these client components cannot easily be replaced. This application linked an IoT device to a back-end system using HTTPS. When the cert was extended, it broke the client because people did not expect the new algorithm.
I think it's fine that certificate authorities use SHA-2 as the default - but refusing to issue SHA-1 certs in the future seems unnecessarily harsh. It will break quite a number of existing systems over the course of time. Sure - these systems may be exposed to some security risks, but those risks are (at the moment) marginal and that's a trade-off better put in the hands of their owners. I feel that the CAs should be called upon to allow SHA-1 certs to be issued for a longer period of time.
Biting the hand that feeds IT
