<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v = "urn:schemas-microsoft-com:vml" xmlns:o = "urn:schemas-microsoft-com:office:office" xmlns:w = "urn:schemas-microsoft-com:office:word" xmlns:m = "http://schemas.microsoft.com/office/2004/12/omml"><HEAD>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<META name=Generator content="Microsoft Word 14 (filtered medium)">
<STYLE><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></STYLE>
</HEAD>
<BODY lang=EN-US link=blue vLink=purple>
<DIV>
<DIV style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif">The problem is that we need more certainty for planning purposes and to be able to make meaningful progress in order to accomplish what Microsoft is recommending for us to do. This is merely ratifying what we all know is the de facto policy due to Microsoft's position, which they have indicated will not change. We can tweak this plan later in July 2015 if Microsoft tweaks its policy, and between now and then we'll have the opportunity to collect data. For now, I believe most CAs are already in compliance.</DIV></DIV>
<DIV dir=ltr>
<HR>
<SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif; FONT-WEIGHT: bold">From: </SPAN><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif"><A href="mailto:bruce.morton@entrust.com">Bruce Morton</A></SPAN><BR><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif; FONT-WEIGHT: bold">Sent: </SPAN><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif">2/20/2014 6:38 AM</SPAN><BR><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif; FONT-WEIGHT: bold">To: </SPAN><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif"><A href="mailto:questions@cabforum.org">questions@cabforum.org</A></SPAN><BR><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif; FONT-WEIGHT: bold">Subject: </SPAN><SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: Calibri,sans-serif">[cabfquest] FW: [cabfpub] SHA1 Deprecation Ballot</SPAN><BR><BR></DIV>
<DIV class=WordSection1>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">I’m concerned with this ballot.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">Microsoft has stated a policy, but have also stated that they may change the policy in 2015. Nevertheless, all CAs must comply with Microsoft’s policy as it evolves.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">If a change is made to the Baseline Requirements, then the CAB Forum should consider that they will change the policy if Microsoft does.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">If the CAB Forum wants to manage this policy themselves, then there should be work done to get data to justify the policy. When should we protect against collision? When should we protect against Preimage and Second-Preimage? When will SHA2 be sufficiently supported? If the CAB Forum is not doing work to get this data, then how do you justify the policy?<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">If Microsoft is doing the work to create the plan for SHA1 deprecation, then I think that the CAs should just follow their lead. When the plan is finalized, then it should be incorporated into the BRs.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">Bruce.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<DIV>
<DIV style="BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; BORDER-BOTTOM: medium none; PADDING-BOTTOM: 0in; PADDING-TOP: 3pt; PADDING-LEFT: 0in; BORDER-LEFT: medium none; PADDING-RIGHT: 0in">
<P class=MsoNormal><B><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'"> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <B>On Behalf Of </B>Ben Wilson<BR><B>Sent:</B> Wednesday, February 19, 2014 3:02 PM<BR><B>To:</B> public@cabforum.org<BR><B>Subject:</B> [cabfpub] SHA1 Deprecation Ballot<o:p></o:p></SPAN></P></DIV></DIV>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>I’m not sure whether I’ve captured it all, but here is a rough draft of a possible ballot for the Baseline Requirements. <o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Effective immediately CAs SHOULD begin migrating away from using the SHA-1 hashing algorithm to sign SSL/TLS and code signing certificates. <o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Beginning January 1, 2016, CAs SHALL NOT use the SHA-1 hashing algorithm to sign SSL/TLS or code signing certificates.<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Please provide your comments, edits, etc., <o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Thanks,<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Ben<o:p></o:p></P></DIV></BODY></HTML>