<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Besides, do we know Apple's position on this topic?<br>
<br>
I have not seen comments from them, and I can't find information on
their web sites...<br>
<br>
<br>
<div class="moz-cite-prefix">Il 29/08/2014 08:57, Adriano Santoni -
Actalis S.p.A. ha scritto:<br>
</div>
<blockquote cite="mid:54002449.2070006@staff.aruba.it" type="cite">
<pre wrap="">Ryan,
apart from the discussion, it would be a good thing if you published
your plan on some Google's web site (like e.g.
<a class="moz-txt-link-freetext" href="http://www.chromium.org/Home/chromium-security/root-ca-policy">http://www.chromium.org/Home/chromium-security/root-ca-policy</a>)
It would be easier for CAs to show their customers in a more convincing
way what Google is going to do.
In other words, publishing your intent on a web site would have a little
bit more officiality -- that would help CAs.
How about that?
Thank you
Adriano
Il 29/08/2014 04:13, Ryan Sleevi ha scritto:
</pre>
<blockquote type="cite">
<pre wrap="">
Hi Kirk,
I feel like I have sufficiently explained our concerns and motivations
throughout this thread, with both you and other CAs, that it should be
readily apparent that this neither meets our goals nor helps our users.
I appreciate your thoughtful consideration in writing it.
Best,
Ryan
On Aug 28, 2014 7:04 PM, "<a class="moz-txt-link-abbreviated" href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a>
<a class="moz-txt-link-rfc2396E" href="mailto:kirk_hall@trendmicro.com"><mailto:kirk_hall@trendmicro.com></a>" <<a class="moz-txt-link-abbreviated" href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a>
<a class="moz-txt-link-rfc2396E" href="mailto:kirk_hall@trendmicro.com"><mailto:kirk_hall@trendmicro.com></a>> wrote:
Ryan and Chris – here is a serious proposal for a modified Google
SHA-1 policy. It meets all of your stated goals. Please give it
some consideration.
1. SHA-1 certs issued on or after [Nov. 1, 2014] that expire on or
after January 1, 2017 get a double whammy bad UI in Google upon
issuance – red slash and nasty click-throughs. (This will stop
issuance of 2017 SHA-1 certs this fall.)
2. SHA-1 certs issued before [Nov. 1, 2014] that expire on or
after January 1, 2017 get a double whammy bad UI in Google
starting [March 1, 2015] – red slash only and nasty
click-throughs. (This will force existing websites with 2017
SHA-1 certs to change them within the next six months).
Result: All 2017 SHA-1 certs will be gone by next March 2015 –
which certainly meets your goals. Customers with existing 2017
certs can get through this holiday season, CAs can get the message
out.
Advantages:
1. CAs that have never issued 2017 certs, and never will (like
Trend Micro) and their customers are not affected – that’s
appropriate, as we have never been a part of this problem.
2. CAs that have issued three year SHA-1 certs expiring in 2017
will stop by this fall.
3. CAs that have issued 2017 certs in the past (and their
customers) will be affected, but will have six months to adjust.
That will be a much smaller number of customers affected than if
those with 2016 certs are forced to change their certs twice (in
2014 and again in 2015).
4. All SHA-1 certs will likely be gone by next spring.
I don’t think Google should spend much time worrying about how CAs
communicate with their customers about the need to move to SHA-256
before 2017 – that’s for us to worry about, and we are all
strongly incentivized to get the message out (selling a 2017 cert
that doesn’t work creates legal problems, and none of us wants to
be dealing with angry SHA-1 customers in late 2016 who have to
switch to SHA-256). We may also be able to get behind Google’s
policy if it is revised – something that isn’t the case today.
You mentioned somewhere that you worried that simply deprecating
SHA-1 certs as of 2017 could create a big customer service burden
on Google as of late 2016 or early 2017. I don’t think that’s the
case with this new proposed policy, as all the negative UI effects
will happen in 2014-15. Plus, I predict Google will be deluged
with customer service complaints under your current policy, when
thousands of websites start showing as “untrusted” in the next
6-12 weeks. Why not make life easier for Google with a revised
policy?
So what do you think? Can we make a change to the policy that is
focused on the real problem (2017 certs)?
Thanks for your consideration.
*/Kirk R. Hall/*
Operations Director, Trust Services
Trend Micro
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<pre wrap="">
_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<i><span style="font-family: Serif">Adriano Santoni</span></i>
</div>
</body>
</html>