<div dir="ltr">+1 to Adriano suggestion.</div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><span style="color:rgb(136,136,136)">-- </span><br style="color:rgb(136,136,136)"><div dir="ltr"><font color="#999999" style="color:rgb(136,136,136)"><b>Chema López</b></font><div><font color="#999999"><b>Gestor de Proyectos - Departamento Técnico</b></font></div><div style="color:rgb(136,136,136)"><font color="#999999"><b>AC Firmaprofesional, S.A.</b></font><br></div><div style="color:rgb(136,136,136)"><br></div><div style="color:rgb(136,136,136)"><font color="#999999">Edificio ESADECREAPOLIS - 1B13</font></div><div style="color:rgb(136,136,136)"><font color="#999999">08173 Sant Cugat del Vallès, Barcelona. </font></div><div style="color:rgb(136,136,136)"><font color="#999999">T. 934 774 245</font></div><div style="color:rgb(136,136,136)"><font color="#999999">M. 666 429 224</font></div><div style="color:rgb(136,136,136)"></div></div></div></div>
<br><br><div class="gmail_quote">On Wed, Sep 3, 2014 at 3:56 PM, Doug Beattie <span dir="ltr"><<a href="mailto:doug.beattie@globalsign.com" target="_blank">doug.beattie@globalsign.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Adriano,<br>
<br>
That is a great suggestions, have you heard from Ryan on this yet? I also<br>
find it hard to locate and reference the current Google Chrome baseline<br>
within the long thread in the google groups discussion.<br>
<span class="HOEnZb"><font color="#888888"><br>
Doug<br>
</font></span><span class="im HOEnZb"><br>
> -----Original Message-----<br>
> From: <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [mailto:<a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>]<br>
> On Behalf Of Adriano Santoni - Actalis S.p.A.<br>
> Sent: Friday, August 29, 2014 2:57 AM<br>
> To: <a href="mailto:public@cabforum.org">public@cabforum.org</a><br>
> Subject: Re: [cabfpub] Proposal for modified Google SHA-1 deprecation<br>
policy<br>
><br>
</span><div class="HOEnZb"><div class="h5">> Ryan,<br>
><br>
> apart from the discussion, it would be a good thing if you published your<br>
plan on<br>
> some Google's web site (like e.g.<br>
> <a href="http://www.chromium.org/Home/chromium-security/root-ca-policy" target="_blank">http://www.chromium.org/Home/chromium-security/root-ca-policy</a>)<br>
><br>
> It would be easier for CAs to show their customers in a more convincing<br>
way<br>
> what Google is going to do.<br>
> In other words, publishing your intent on a web site would have a little<br>
bit more<br>
> officiality -- that would help CAs.<br>
><br>
> How about that?<br>
><br>
> Thank you<br>
> Adriano<br>
><br>
><br>
><br>
> Il 29/08/2014 04:13, Ryan Sleevi ha scritto:<br>
> ><br>
> > Hi Kirk,<br>
> ><br>
> > I feel like I have sufficiently explained our concerns and motivations<br>
> > throughout this thread, with both you and other CAs, that it should be<br>
> > readily apparent that this neither meets our goals nor helps our users.<br>
> ><br>
> > I appreciate your thoughtful consideration in writing it.<br>
> ><br>
> > Best,<br>
> > Ryan<br>
> ><br>
> > On Aug 28, 2014 7:04 PM, "<a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a><br>
> > <mailto:<a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a>>" <<a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a><br>
> > <mailto:<a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a>>> wrote:<br>
> ><br>
> > Ryan and Chris - here is a serious proposal for a modified Google<br>
> > SHA-1 policy. It meets all of your stated goals. Please give it<br>
> > some consideration.<br>
> ><br>
> > 1. SHA-1 certs issued on or after [Nov. 1, 2014] that expire on or<br>
> > after January 1, 2017 get a double whammy bad UI in Google upon<br>
> > issuance - red slash and nasty click-throughs. (This will stop<br>
> > issuance of 2017 SHA-1 certs this fall.)<br>
> ><br>
> > 2. SHA-1 certs issued before [Nov. 1, 2014] that expire on or<br>
> > after January 1, 2017 get a double whammy bad UI in Google<br>
> > starting [March 1, 2015] - red slash only and nasty<br>
> > click-throughs. (This will force existing websites with 2017<br>
> > SHA-1 certs to change them within the next six months).<br>
> ><br>
> > Result: All 2017 SHA-1 certs will be gone by next March 2015 -<br>
> > which certainly meets your goals. Customers with existing 2017<br>
> > certs can get through this holiday season, CAs can get the message<br>
> > out.<br>
> ><br>
> > Advantages:<br>
> ><br>
> > 1. CAs that have never issued 2017 certs, and never will (like<br>
> > Trend Micro) and their customers are not affected - that's<br>
> > appropriate, as we have never been a part of this problem.<br>
> ><br>
> > 2. CAs that have issued three year SHA-1 certs expiring in 2017<br>
> > will stop by this fall.<br>
> ><br>
> > 3. CAs that have issued 2017 certs in the past (and their<br>
> > customers) will be affected, but will have six months to adjust.<br>
> > That will be a much smaller number of customers affected than if<br>
> > those with 2016 certs are forced to change their certs twice (in<br>
> > 2014 and again in 2015).<br>
> ><br>
> > 4. All SHA-1 certs will likely be gone by next spring.<br>
> ><br>
> > I don't think Google should spend much time worrying about how CAs<br>
> > communicate with their customers about the need to move to SHA-256<br>
> > before 2017 - that's for us to worry about, and we are all<br>
> > strongly incentivized to get the message out (selling a 2017 cert<br>
> > that doesn't work creates legal problems, and none of us wants to<br>
> > be dealing with angry SHA-1 customers in late 2016 who have to<br>
> > switch to SHA-256). We may also be able to get behind Google's<br>
> > policy if it is revised - something that isn't the case today.<br>
> ><br>
> > You mentioned somewhere that you worried that simply deprecating<br>
> > SHA-1 certs as of 2017 could create a big customer service burden<br>
> > on Google as of late 2016 or early 2017. I don't think that's the<br>
> > case with this new proposed policy, as all the negative UI effects<br>
> > will happen in 2014-15. Plus, I predict Google will be deluged<br>
> > with customer service complaints under your current policy, when<br>
> > thousands of websites start showing as "untrusted" in the next<br>
> > 6-12 weeks. Why not make life easier for Google with a revised<br>
> > policy?<br>
> ><br>
> > So what do you think? Can we make a change to the policy that is<br>
> > focused on the real problem (2017 certs)?<br>
> ><br>
> > Thanks for your consideration.<br>
> ><br>
> > */Kirk R. Hall/*<br>
> ><br>
> > Operations Director, Trust Services<br>
> ><br>
> > Trend Micro<br>
> ><br>
> > TREND MICRO EMAIL NOTICE<br>
> > The information contained in this email and any attachments is<br>
confidential<br>
> > and may be subject to copyright or other intellectual property<br>
protection.<br>
> > If you are not the intended recipient, you are not authorized to use<br>
or<br>
> > disclose this information, and we request that you notify us by<br>
reply mail or<br>
> > telephone and delete the original message from your mail system.<br>
> ><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > Public mailing list<br>
> > <a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
> > <a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
><br>
> _______________________________________________<br>
> Public mailing list<br>
> <a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
> <a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
</div></div><br>_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
<br></blockquote></div><br></div>