<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">[Reposting from Google SHA-1 list]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Kirk Hall (RD-US)
<br>
<b>Sent:</b> Thursday, August 28, 2014 4:29 PM<br>
<b>To:</b> 'rsleevi@chromium.org'<br>
<b>Cc:</b> security-dev; blink-dev; steve.medin@gmail.com; net-dev<br>
<b>Subject:</b> RE: Intent to Deprecate: SHA-1 certificates<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Thanks. But nothing in those snippets indicates that in August 2014 SHA-1 certificate users will be told by Google that they must switch out all their certs in 6-12 weeks
or else their websites will receive untrusted UIs in Chrome – does it? <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">As I mentioned before, our company already restricted our offerings so no customer can get a SHA-1 certificate expiring after 2016, so we are already in compliance. Why
are you effectively pushing back the SHA-1 deprecation deadline by two years on such short notice?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">I think this is very unfortunate – Google seems angry at (some) CAs for past tardiness in transitions to stronger technologies (MD5, 1024 bit certs), but not all CAs are
guilty and in any case this is a very punitive policy.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">In fact, you are actually punishing website owners with perfectly valid SHA-1 certs who will be in full compliance with the SHA-1 deprecation policy by 2017 – they have done
nothing wrong, but because of Google’s new August 2014 policy, they have to speed up compliance to this year, at a very inconvenient time for many.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Finally, in my opinion, you are effectively punishing Chrome users as well (or confusing them, at the very least) by showing them “untrusted” Chrome UIs this fall for certs
that are, in fact, perfectly valid under a 2017 SHA-1 deprecation policy – all in the name of social engineering (pushing website owners and CAs to move faster). Is this really what you want to do to Chrome users with Chrome’s UI? It’s like “crying wolf”
– telling your own customers there is a problem with a website when there actually isn’t (you are just trying to make the website move faster).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Please listen to the people posting on this site and other sites, Ryan, and reconsider your timelines. Do the right thing, and reset the deadline for March 1, 2015 or later.
That will accomplish all your stated purposes, and avoid hurting a lot of people (and Chrome users) unnecessarily.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> sleevi@google.com [mailto:sleevi@google.com]
<b>On Behalf Of </b>Ryan Sleevi<br>
<b>Sent:</b> Thursday, August 28, 2014 4:19 PM<br>
<b>To:</b> Kirk Hall (RD-US)<br>
<b>Cc:</b> security-dev; Ryan Sleevi; blink-dev; steve.medin@gmail.com; net-dev<br>
<b>Subject:</b> Re: Intent to Deprecate: SHA-1 certificates<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">In a discussion of SHA-1 deprecation:<o:p></o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><a href="https://cabforum.org/pipermail/public/2014-March/003024.html" target="_blank"><span style="color:#6611CC;border:none windowtext 1.0pt;padding:0in">https://cabforum.org/pipermail/public/2014-March/003024.html</span></a><o:p></o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">"Chrome's plan continues to remain aggressive - disallowing certain algorithms/key sizes if their issuance date is after their sunset-grace
period, outright rejecting them <b>if their validity period exceeds the sunset-fail period</b>, and <b>eventually outright removing support entirely</b>. As such, a CA that (continues) to issue such certs would not (ultimately) be causing outright risk to
*current* versions of Chrome users"<o:p></o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><a href="https://cabforum.org/2014/02/19/2014-02-19-minutes-of-mountain-view-f2f/#SHA1-Sunsetting-Grandfathering-Strategy" target="_blank"><span style="color:#6611CC;border:none windowtext 1.0pt;padding:0in">https://cabforum.org/2014/02/19/2014-02-19-minutes-of-mountain-view-f2f/#SHA1-Sunsetting-Grandfathering-Strategy</span></a><o:p></o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">"Ryan: <snip> <b>It goes back to attempting what we believe is a balanced approach for the user experience by telling the user that we don’t
have full confidence in this site but allowing the user to proceed, but this may become more serious over time. So we’ll transition the user by not giving an EV indication. We’re also not going to require users to click through warnings</b>."<o:p></o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">"Ryan: This pushes support to the browsers because when a site operator does not switch over to SHA2 people will say the browser doesn’t work.
So, regardless of the sunset date, <b>we’ll have to start taking away your security benefits soon, but it would be better to find a solution based on policy</b>. If we cannot come to agreement on policy, like Brian said, then we are going to have different
approaches, but we cannot have a situation where we’re going to allow CAs to run SHA1 certificates up the wire and pass the cost on to the browsers. The reality is that when a site breaks, it is not the site operator that suffers, it’s the users, and users
don’t contact the site operator, they contact the browser or they go on social media and complain."<o:p></o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">"Ryan: It is all fine that we as a CA/Browser Forum can agree on something, but we need to get the attention of site operators and users on
this. If January 2016 is the date that CAs cease issuing SHA1 certificates, but site operators are installing 3-year certificates until then, we’re going to see problems when they have forgotten about it. <b>If we cannot resolve this in the CA/Browser Forum,
it will be something the browsers will start working on to get that messaging out.</b>"<o:p></o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">"Bob: <b>Ryan has said that in Chrome they will implement a countdown meter that tells end users that in X days the website will stop working because the server has not migrated
from SHA1</b>."</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<p class="MsoNormal">On Thu, Aug 28, 2014 at 4:14 PM, Kirk Hall <<a href="mailto:kirk_hall@trendmicro.com" target="_blank">kirk_hall@trendmicro.com</a>> wrote:<o:p></o:p></p>
<p class="MsoNormal">Ryan -- seriously -- if you can point us to where, in the strings you referenced, that Google's new policy was first disclosed to CAs, and if it was about six months ago, you will receive a full and abject public apology from me, and no
further complaints about the new policy.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">So please resolve this once and for all -- where and when exactly do you believe that Google first disclosed this new policy? <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">To unsubscribe from this group and stop receiving emails from it, send an email to
<a href="mailto:security-dev+unsubscribe@chromium.org">security-dev+unsubscribe@chromium.org</a>.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> security-dev@chromium.org [mailto:security-dev@chromium.org]
<b>On Behalf Of </b>Kirk Hall<br>
<b>Sent:</b> Thursday, August 28, 2014 4:15 PM<br>
<b>To:</b> security-dev@chromium.org<br>
<b>Cc:</b> Kirk Hall (RD-US); rsleevi@chromium.org; blink-dev@chromium.org; steve.medin@gmail.com; net-dev@chromium.org; rsleevi@chromium.org<br>
<b>Subject:</b> Re: Intent to Deprecate: SHA-1 certificates<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ryan -- seriously -- if you can point us to where, in the strings you referenced, that Google's new policy was first disclosed to CAs, and if it was about six months ago, you will receive a full and abject public apology from me, and no
further complaints about the new policy.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">So please resolve this once and for all -- where and when exactly do you believe that Google first disclosed this new policy? <br>
<br>
On Thursday, August 28, 2014 3:40:13 PM UTC-7, Ryan Sleevi wrote:<o:p></o:p></p>
<p class="MsoNormal">Hi Kirk,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I can't help but feel you're intentionally being misleading. I would encourage you to read it again and confer with your colleagues.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It was clear enough, and long enough, a discussion that Bob (on behalf of Mozilla) was able to state it simply and succinctly in the text I conveniently highlighted for you in that thread. I'm not sure how there can be any ambiguity on
that, and it's the exact same policy now being proposed here.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">All the best,<o:p></o:p></p>
<p class="MsoNormal">Ryan<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<p class="MsoNormal">On Thu, Aug 28, 2014 at 3:36 PM, Kirk Hall <<a href="javascript:" target="_blank">kirk...@trendmicro.com</a>> wrote:<o:p></o:p></p>
<p class="MsoNormal">Sorry, Ryan -- I don't see Google's new policy in any of those threads. Can you point it out?<br>
<br>
On Thursday, August 28, 2014 3:30:23 PM UTC-7, Ryan Sleevi wrote:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<p class="MsoNormal">On Thu, Aug 28, 2014 at 3:18 PM, <a href="mailto:kirk...@trendmicro.com">
kirk...@trendmicro.com</a> <<a href="mailto:kirk...@trendmicro.com">kirk...@trendmicro.com</a>> wrote:<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Ryan – you keep saying Google told all CAs about this policy six months ago. What are you referring to? The CA/Browser
Forum meeting in February? You made no mention of this policy at that time. See again the meeting minutes below from February 19, 2014.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi Kirk,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I fear you may have missed the messages on this thread where I've identified that for you particularly, and for others.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">For your reference, I direct you to <a href="https://groups.google.com/a/chromium.org/d/msg/security-dev/2-R4XziFc7A/OAvNrBvhD5QJ" target="_blank">https://groups.google.com/a/chromium.org/d/msg/security-dev/2-R4XziFc7A/OAvNrBvhD5QJ</a> <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I note that I have already provided this link to you before, as shown on <a href="https://cabforum.org/pipermail/public/2014-August/003742.html" target="_blank">https://cabforum.org/pipermail/public/2014-August/003742.html</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hopefully you can take the opportunity to read it.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>
<table><tr><td bgcolor=#ffffff><font color=#000000><pre><table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table></pre></font></td></tr></table>