<div dir="ltr">Hi Bruce,<div><br></div><div>I just wanted to echo Ben's sentiment and our support for the deprecation of SHA-1. Although Microsoft has lead the way, we actively consider these dates "Good dates". The only thing that can or should change such a timeline would be some degree of unforeseen exigent circumstance, and this is highly unlikely.</div>
<div><br></div><div>I believe the only way the Forum will make meaningful progress on this is by incorporating these dates into the Forum's Guidelines - and, as I discussed yesterday, by ratcheting up the UI in Browsers to indicate the decreasing trust and faith in SHA-1.</div>
<div><br></div><div>However, we need to make progress by the dates set forth. It's unfortunate that we cannot set the dates more aggressively, but we must not find ourselves in another MD5, where CAs were continuing to issue years after it was known to be broken.</div>
<div><br></div><div>So consider this (and related efforts) as having our full support.</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Feb 20, 2014 at 6:37 AM, Bruce Morton <span dir="ltr"><<a href="mailto:bruce.morton@entrust.com" target="_blank">bruce.morton@entrust.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="color:#1f497d">I’m concerned with this ballot.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">Microsoft has stated a policy, but have also stated that they may change the policy in 2015. Nevertheless, all CAs must comply with Microsoft’s policy as it evolves.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">If a change is made to the Baseline Requirements, then the CAB Forum should consider that they will change the policy if Microsoft does.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">If the CAB Forum wants to manage this policy themselves, then there should be work done to get data to justify the policy. When should we protect against collision? When should we protect against Preimage and
Second-Preimage? When will SHA2 be sufficiently supported? If the CAB Forum is not doing work to get this data, then how do you justify the policy?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">If Microsoft is doing the work to create the plan for SHA1 deprecation, then I think that the CAs should just follow their lead. When the plan is finalized, then it should be incorporated into the BRs.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">Bruce.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a> [mailto:<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Ben Wilson<br>
<b>Sent:</b> Wednesday, February 19, 2014 3:02 PM<br>
<b>To:</b> <a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a><br>
<b>Subject:</b> [cabfpub] SHA1 Deprecation Ballot<u></u><u></u></span></p>
</div>
</div><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I’m not sure whether I’ve captured it all, but here is a rough draft of a possible ballot for the Baseline Requirements.
<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Effective immediately CAs SHOULD begin migrating away from using the SHA-1 hashing algorithm to sign SSL/TLS and code signing certificates.
<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Beginning January 1, 2016, CAs SHALL NOT use the SHA-1 hashing algorithm to sign SSL/TLS or code signing certificates.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Please provide your comments, edits, etc., <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Thanks,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Ben<u></u><u></u></p>
</div></div></div>
</div>
<br>_______________________________________________<br>
Questions mailing list<br>
<a href="mailto:Questions@cabforum.org">Questions@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/questions" target="_blank">https://cabforum.org/mailman/listinfo/questions</a><br>
<br></blockquote></div><br></div>