[Cscwg-public] Today's discussion on SHA-1 and RSA 3072

[Corey Bonnell]

Hello,

To provide more context and help facilitate discussion, below are the
questions that originally prompted the conversation on today's call
regarding SHA-1 sunset dates and RSA key size requirements for roots:

 

---

 

Appendix A of the CSBRs denotes that SHA-1 certificates may be issued until
the end of this year to support legacy platforms. However, the Appendix is
silent on the allowed signature algorithms for OCSP responses and OCSP
delegated responder certificates that are issued by a codesigning or
timestamping ICA. Our interpretation of the requirements is that OCSP
delegated responder certificates and OCSP responses signed using SHA-1 are
acceptable after the transition date, otherwise legacy clients will be
unable to check the OCSP status of issued certificates if they are signed
with an algorithm besides SHA-1. Does Microsoft share this interpretation?

 

In a similar vein, the requirements set forth for Timestamp Responder
certificates in Appendix A indicate that the SHA-1 transition date is end of
2020, but SHA-1 signatures on timestamp tokens has been moved back to end of
April 2022. However, section 9.4 of the CSBRs indicates that Timestamp
Authority certificates can only be used in production for a maximum of 15
months. For those CAs who issue end-entity timestamp responder certificates
and immediately place them in production, this means that there is a period
in 2022 where they cannot provide SHA-1 timestamping services to legacy
clients as they will need to rotate their timestamp responder certificate
before April 30 to remain compliant with the 15-month rule but will be
unable to issue a replacement due to the certificate issuance SHA-1 sunset
date being set to end of 2020. For CAs in this situation, would it be
acceptable to issue timestamp responder certificates until the timestamp
token SHA-1 sunset date of April 30, 2022?

 

Lastly, from recent conversations in the Code Signing working group,
Microsoft appears to be supportive of CAs creating new RSA 3072 roots to
comply with the June 2021 requirement for larger key sizes. However, section
B of the Microsoft Root Program requirements specifies that the minimum key
size for new roots is RSA 4096, which would preclude the submission of RSA
3072 roots. RSA 3072 roots are desirable as there is greatly increased
performance realized as opposed to larger keys, which in turn would decrease
application startup times. Clarity regarding Microsoft's expectations for
minimum RSA key sizes for new roots would be appreciated.

 

Thanks,

Corey

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20201217/e07bc48a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4990 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20201217/e07bc48a/attachment.p7s>