<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Calibri">+1<br>
<br>
</font>
<div class="moz-cite-prefix">Il 06/09/2014 00:47, Tom Albertson ha
scritto:<br>
</div>
<blockquote
cite="mid:426dae98234d4e5f9233f5f588fb92f4@DM2PR0301MB0653.namprd03.prod.outlook.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Cambria-BoldItalic;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Cambria-Bold;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:TimesNewRomanPSMT;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi there,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have produced a ballot for discussion,
which aligns the Baseline Requirements (v1.1.9) with the
planned deprecation of SHA-1. This ballot uses the dates in
the
<a moz-do-not-send="true"
href="http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx">Microsoft
SHA-1 deprecation policy</a> as a reference, and right now
only addresses SSL certs. I think we can offer similar
language for code signing certs and possibly other BRs once we
have hashed this out for SSL.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">New text appears as <u><span
style="color:red">red underlined</span></u>. A small
amount of text in Appendix A is proposed for deletion (<s>black
strikethrough)</s> The amendments relate mainly to Section
9.4 Validity Period, with minor conforming changes to Appendix
A.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Special thanks to Ben and Gerv and others,
who already struggled through this issue in March 2014, that
ballot discussion was most instructive. I have made no
efforts to collaborate with other Forum members on this issue
except to go back and forth with Kelvin and Aaron here at
Microsoft on the best text to offer to represent the Microsoft
policy.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Your comments and questions are
appreciated, and ultimately we could use an endorser or two of
the ballot measure.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Tom<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span style="color:#1F497D">Ballot NNN
–expirations of SHA1 certificates (FINAL VERSION)<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><i><span
style="font-size:14.0pt;font-family:"Cambria-BoldItalic","serif"">9.4
Validity Period<o:p></o:p></span></i></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:13.0pt;font-family:"Cambria-Bold","serif""><o:p> </o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:13.0pt;font-family:"Cambria-Bold","serif"">9.4.1
Subscriber Certificates<o:p></o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Times New
Roman","serif"">Subscriber Certificates
issued after the Effective Date MUST have a Validity Period
no greater than 60 months.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Times New
Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Times New
Roman","serif"">Except as provided for below,
Subscriber Certificates issued after 1 April 2015 MUST have
a Validity Period no<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Times New
Roman","serif"">greater than 39 months.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Times New
Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><u><span
style="font-family:"Times New
Roman","serif";color:red">Effective 1
November 2014, CAs MUST NOT issue Subscriber Certificates
utilizing the SHA-1 algorithm with an Expiry Date greater
than 1 January 2017.</span></u><u><span
style="font-family:"Times New
Roman","serif";color:#00B050">
</span></u><u><span style="font-family:"Times New
Roman","serif";color:#1F497D"><o:p></o:p></span></u></p>
<p class="MsoNormal" style="text-autospace:none"><u><span
style="font-family:"Times New
Roman","serif";color:red"><o:p><span
style="text-decoration:none"> </span></o:p></span></u></p>
<p class="MsoNormal" style="text-autospace:none"><u><span
style="font-family:"Times New
Roman","serif";color:red">Except as
provided for below, effective 1 January 2016, CAs MUST NOT
issue Subscriber Certificates that utilize the SHA-1
algorithm.</span></u><u><span
style="font-family:"Times New
Roman","serif";color:#00B050">
<o:p></o:p></span></u></p>
<p class="MsoNormal" style="text-autospace:none"><u><span
style="font-family:"Times New
Roman","serif"">
<o:p></o:p></span></u></p>
<p class="MsoNormal" style="text-autospace:none"><u><span
style="font-family:"Times New
Roman","serif";color:red">Effective</span></u><span
style="font-family:"Times New
Roman","serif";color:red">
</span><span style="font-family:"Times New
Roman","serif"">1 April 2015, CAs MAY
continue to issue Subscriber Certificates with a Validity
Period greater than 39<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Times New
Roman","serif"">months but not greater than
60 months provided that the CA documents that the
Certificate is for a system or<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Times New
Roman","serif"">software that:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Times New
Roman","serif"">(a) was in use prior to the
Effective Date;<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Times New
Roman","serif"">(b) is currently in use by
either the Applicant or a substantial number of Relying
Parties;<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Times New
Roman","serif"">(c) fails to operate if the
Validity Period is shorter than 60 months;<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Times New
Roman","serif"">(d) does not contain known
security risks to Relying Parties; and<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New
Roman","serif"">(e) is difficult to patch or
replace without substantial economic outlay.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New
Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New
Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-family:"Times
New Roman","serif";color:red">9.4.2 Root
CA Certificates<o:p></o:p></span></u></b></p>
<p class="MsoNormal"><u><span style="font-family:"Times New
Roman","serif";color:red"><o:p><span
style="text-decoration:none"> </span></o:p></span></u></p>
<p class="MsoNormal"><u><span style="color:red">The SHA-1
deprecation policy and Validity Dates DO NOT apply to Root
CA certificates. CAs MAY continue to use their existing
SHA-1 Root Certificates.
</span></u><u><span style="color:red" lang="EN">CAs MUST use
SHA-2 or successor hash algorithms to sign any Subscriber
certificates, Subordinate CA certificates, and CRLs
effective 1 January 2016.</span><span style="color:red"><o:p></o:p></span></u></p>
<p class="MsoNormal"><u><span style="font-family:"Times New
Roman","serif";color:red"><o:p><span
style="text-decoration:none"> </span></o:p></span></u></p>
<p class="MsoNormal"><u><span style="font-family:"Times New
Roman","serif";color:red"><o:p><span
style="text-decoration:none"> </span></o:p></span></u></p>
<p class="MsoNormal"><b><u><span style="font-family:"Times
New Roman","serif";color:red">9.4.3
Subordinate CA Certificates<o:p></o:p></span></u></b></p>
<p class="MsoNormal"><u><span style="font-family:"Times New
Roman","serif";color:red"><o:p><span
style="text-decoration:none"> </span></o:p></span></u></p>
<p class="MsoNormal"><u><span style="font-family:"Times New
Roman","serif";color:red">Effective 1
January 2016, CAs MUST NOT issue Subordinate CA
Certificates that utilize the SHA-1 algorithm. CAs MUST
NOT issue SHA-2 Subscriber certificates under SHA-1
Subordinate CA Certificates.</span></u><span
style="font-family:"Times New
Roman","serif";color:red">
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New
Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New
Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:14.0pt;font-family:"Times New
Roman","serif"">Appendix A - Cryptographic
Algorithm and Key Requirements (Normative)<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-family:"Times New
Roman","serif"">…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Add this note
under Table 2, Subordinate CA certificates:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><u><span style="font-family:"Times New
Roman","serif";color:red">* SHA-1 MAY be
used with RSA keys in accordance with the criteria defined
in Section 9.4.3.<o:p></o:p></span></u></p>
<p class="MsoNormal"><span style="font-family:"Times New
Roman","serif";color:red"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New
Roman","serif"">And amend this note at the
end of the 3 tables.
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Times New
Roman","serif";color:red"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Times New
Roman","serif"">* SHA-1 MAY be used with RSA
keys<span style="color:#1F497D">
</span><u><span style="color:red">in accordance with the
criteria defined in Section 9.4.1
</span></u></span><s><span
style="font-size:10.0pt;font-family:TimesNewRomanPSMT">until
SHA-256 is supported widely by browsers used by a
substantial<o:p></o:p></span></s></p>
<p class="MsoNormal"><s><span
style="font-size:10.0pt;font-family:TimesNewRomanPSMT">portion
of relying-parties worldwide</span></s><span
style="font-size:10.0pt;font-family:TimesNewRomanPSMT">.
</span><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<i><span style="font-family: Serif">Adriano Santoni</span></i>
</div>
</body>
</html>