<div dir="ltr">Ben,<div><br></div><div>Why do you believe that Microsoft's review is the only way to discover "Application X" and its existence? Why wouldn't we, within the CA/B Forum, except either member CAs (or CAs affected by but not members) to mention "Application X" exists?</div>
<div><br></div><div>Likewise, it seems reasonable to presume that "Application X" is not a common scenario to begin with - otherwise, we expect CAs would already be talking about "Application X" and its impact to their issuance practices.</div>
<div><br></div><div>As such, it seems like the scope of "Application X" is going to be so minimal, that it would be entirely reasonable/preferable/better for the Internet to let "We still issue SHA-1 for Application X" to be a qualified finding during an Audit (presuming, of course, that such timelines are incorporated within the audit framework in a timely manner), and then allow Root Programs to make a decision about "Application X"?</div>
<div><br></div><div>I see no reason to hold up the entire progress based on a hypothetical "Application X". And if such a blanket exception to security needs to be carved out, Root Programs are perfectly capable of doing so - as they have already done for other such "Application X" exceptional scenarios (eg: RSA-1024 bit certs for certain applications - such as Symantec's issuance of a <a href="http://pb.com">pb.com</a> certificate that conflicts with the BRs in <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=966350">https://bugzilla.mozilla.org/show_bug.cgi?id=966350</a> )<br>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Feb 27, 2014 at 4:59 PM, Ben Wilson <span dir="ltr"><<a href="mailto:ben@digicert.com" target="_blank">ben@digicert.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal">Let’s say we adopt this as a guideline. Then, what if we want to fine-tune it based on Microsoft’s July 2015 review of progress made? How can we amend the guideline and put that amendment in place before January 1, 2016? (Let’s say that based on Microsoft’s review, it appears that Application X and its users need more time. Won’t a CA that is providing SSL services for Application X say that six months is not enough time for the CAB Forum to adopt an exception and for it to change its code and certificate issuance processes to allow an exception for Application X and its users)? In other words, don’t we need feedback from Microsoft prior to July 2015 in order to put an amendment in place? If we adopt this provision, won’t we need to revisit it in about 12 months? <u></u><u></u></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)"><u></u> <u></u></span></p><div><div style="border-style:solid none none;border-top-color:rgb(181,196,223);border-top-width:1pt;padding:3pt 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10pt;font-family:Tahoma,sans-serif">From:</span></b><span style="font-size:10pt;font-family:Tahoma,sans-serif"> <a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a> [mailto:<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Doug Beattie<br>
<b>Sent:</b> Thursday, February 20, 2014 11:55 AM<br><b>To:</b> <a href="mailto:ben@digicert.com" target="_blank">ben@digicert.com</a>; <a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a></span></p>
<div class=""><br><b>Subject:</b> Re: [cabfpub] SHA1 Deprecation Ballot<u></u><u></u></div><p></p></div></div><span class=""><font color="#888888"><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><span style="color:rgb(31,73,125)">Ben,<u></u><u></u></span></p>
</font></span><div><div class="h5"><p class="MsoNormal"><span style="color:rgb(31,73,125)"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)">While this may be obvious to most of us, we should explicitly state that all CA certificates in the hierarchy up to, but not including the publicly trusted root, must also not be SHA-1.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)">Doug<u></u><u></u></span></p><p class="MsoNormal"><span style="color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)"><u></u> <u></u></span></p><div><div style="border-style:solid none none;border-top-color:rgb(225,225,225);border-top-width:1pt;padding:3pt 0in 0in"><p class="MsoNormal">
<b>From:</b> <a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org" target="_blank">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Ben Wilson<br>
<b>Sent:</b> Wednesday, February 19, 2014 3:02 PM<br><b>To:</b> <a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a><br><b>Subject:</b> [cabfpub] SHA1 Deprecation Ballot<u></u><u></u></p></div></div>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I’m not sure whether I’ve captured it all, but here is a rough draft of a possible ballot for the Baseline Requirements. <u></u><u></u></p><p class="MsoNormal">
<u></u> <u></u></p><p class="MsoNormal">Effective immediately CAs SHOULD begin migrating away from using the SHA-1 hashing algorithm to sign SSL/TLS and code signing certificates. <u></u><u></u></p><p class="MsoNormal">
<u></u> <u></u></p><p class="MsoNormal">Beginning January 1, 2016, CAs SHALL NOT use the SHA-1 hashing algorithm to sign SSL/TLS or code signing certificates.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">
Please provide your comments, edits, etc., <u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Thanks,<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Ben<u></u><u></u></p>
</div></div></div></div><br>_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
<br></blockquote></div><br></div></div></div>