<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">[Reposting from Google SHA-1 list]<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<br>
From: Kirk Hall (RD-US) <br>
Sent: Thursday, August 28, 2014 4:45 PM<br>
To: 'Chris Palmer'<br>
Cc: rsleevi@chromium.org; security-dev; blink-dev; steve.medin@gmail.com; net-dev<br>
Subject: RE: Intent to Deprecate: SHA-1 certificates<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">But Chris -- you are using a blunderbuss when you could use a high accuracy rifle (or better).<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">This policy is making compliant companies like Trend Micro contact all their customers now and make them replace all their SHA-1 certs (certs that all expire in 2014, 2015, and 2016) now -- when there is no need for that. Some customers
have thousands of certs from many dozens of domains -- domestic and international. Why do we and our customers have to do this?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">A six-month delay would still effectively eliminate all SHA-1 certs by the end of 2015 -- the same as Google's current deadline -- so you reach the same result. So why not give website owners and CAs some extra time to respond to this
surprise policy? And get them past the holiday retail season website lockdown?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<o:p></o:p></p>
<p class="MsoPlainText">From: Chris Palmer [mailto:palmer@google.com] <o:p></o:p></p>
<p class="MsoPlainText">Sent: Thursday, August 28, 2014 4:39 PM<o:p></o:p></p>
<p class="MsoPlainText">To: Kirk Hall (RD-US)<o:p></o:p></p>
<p class="MsoPlainText">Cc: rsleevi@chromium.org; security-dev; blink-dev; steve.medin@gmail.com; net-dev<o:p></o:p></p>
<p class="MsoPlainText">Subject: Re: Intent to Deprecate: SHA-1 certificates<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">On Thu, Aug 28, 2014 at 4:29 PM, <a href="mailto:kirk_hall@trendmicro.com">
<span style="color:windowtext;text-decoration:none">kirk_hall@trendmicro.com</span></a> <<a href="mailto:kirk_hall@trendmicro.com"><span style="color:windowtext;text-decoration:none">kirk_hall@trendmicro.com</span></a>> wrote:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">> As I mentioned before, our company already restricted our offerings so no customer can get a SHA-1 certificate expiring after 2016, so we are already in compliance.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Great! Thank you.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">> Why are you effectively pushing back the SHA-1 deprecation deadline by two years on such short notice?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">SHA-1 is now, and has been for some time, deprecated. The deadline is for when SHA-1 will be not just deprecated but *outright disabled*.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">So, we are surfacing the deprecation *now*, so that all CAs will do as Trend Micro has done, and won't suddenly be caught off-guard when<o:p></o:p></p>
<p class="MsoPlainText">SHA-1 is indeed turned off as scheduled.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>
<table><tr><td bgcolor=#ffffff><font color=#000000><pre><table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table></pre></font></td></tr></table>