<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:TimesNewRomanPSMT;}
@font-face
{font-family:Cambria-BoldItalic;}
@font-face
{font-family:Cambria-Bold;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Also, doug@globalsign’s request to revise and resubmit as a new section under section 9.8 – we considered that, but we felt that section 9.8 Additional Technical Requirements is a catch all and only refers to
Appendix A, B etc, whereas 9.4. Certificate Validity deals with expirations, and SHA1 expiration issues belong there. So respectfully, we reformat the ballot by adding the text in a new 9.4.2 section, and we don’t do any better by putting that in 9.8. Tom
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Tom Albertson <br>
<b>Sent:</b> Friday, September 12, 2014 4:13 PM<br>
<b>To:</b> Bruce Morton; public@cabforum.org<br>
<b>Subject:</b> RE: Ballot - expiration of SHA1 certificates<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi there - sorry to drop off the face of the earth there, I was oof and got busy this week. Great feedback! I have attached to this email a revised ballot incorporating some of your feedback, and am writing specific responses on a few
topics raised.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Best Regards and I’ll see some of you next week, <o:p></o:p></p>
<p class="MsoNormal">Tom<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">@sleevi @kirik_hall @jeremy.rowley @adriano.santoni <span style="color:red">
– Tom: ballot endorsements, thank you very much. This new ballot is somewhat amended and still requires endorsers.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:red"><o:p> </o:p></span></p>
<p class="MsoNormal">bruce@entrust – <span style="color:red">I hear you on the implementation deadline of 10 Nov 2014, and why you would prefer 1 Jan 2015. I have a similar problem with numerous deadlines that are too short and don’t take into account any
of my priorities. A quick poll of CAs will show all are short of time to implement anything, and even 1 Jan 2015 doesn’t work for them. I prefer to leave our deadline short and in place, because it recognizes the urgency of moving away from SHA-1. If CAs
are actually hurting to meet this deadline I would love to hear from them, if they need more time then we can allow it on their audits etc – but I am not certain that 1 Jan 2015 is any better than 10 November 2014.
<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">@rick_andrews @brian - OCSP, 3 uses - 1. The ResponderID construct (through KeyHash), to identify a certificate by the hash of its public key. 2. The CertID construct. 3. The signature of the OCSP response.<o:p></o:p></p>
<p class="MsoNormal"><span style="color:red">Tom: Correct - Windows will enforce the SHA1 policy only on the 3) signature of the OCSP response. The SHA1 policy does not apply to any other uses of SHA1, such as the ResponderID construct, key hash or CertID.
<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">@frank_leroy @rob.stradling @remi.pifaut - refine scope to "SHA-1withRSAencryption for signature algorithm" since SHA1 still used to compute AKI and SKI.
<o:p></o:p></p>
<p class="MsoNormal"><span style="color:red">Tom: Again, correct - The SHA1 policy does not apply to AKI and SKI. It only applies to the signature of the certificate.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Bruce Morton [<a href="mailto:bruce.morton@entrust.com">mailto:bruce.morton@entrust.com</a>]
<br>
<b>Sent:</b> Monday, September 8, 2014 5:56 AM<br>
<b>To:</b> Tom Albertson; <a href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> RE: Ballot - expiration of SHA1 certificates<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Hi Tom,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Thank you for this ballot.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I have one comment and it is the implementation date of 1 November 2014. Entrust is currently challenged to meet this date and the ballot has not been approved yet. We would request that 1 November 2014 be changed
to 1 January 2015. This would allow this change to be synced with a current scheduled release.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Thanks in advance for your consideration.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Tom Albertson<br>
<b>Sent:</b> Friday, September 05, 2014 6:47 PM<br>
<b>To:</b> <a href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> [cabfpub] FW: Ballot - expiration of SHA1 certificates<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi there,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have produced a ballot for discussion, which aligns the Baseline Requirements (v1.1.9) with the planned deprecation of SHA-1. This ballot uses the dates in the
<a href="http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx">
Microsoft SHA-1 deprecation policy</a> as a reference, and right now only addresses SSL certs. I think we can offer similar language for code signing certs and possibly other BRs once we have hashed this out for SSL.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">New text appears as <u><span style="color:red">red underlined</span></u>. A small amount of text in Appendix A is proposed for deletion (<s>black strikethrough)</s> The amendments relate mainly to Section 9.4 Validity Period, with minor
conforming changes to Appendix A.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Special thanks to Ben and Gerv and others, who already struggled through this issue in March 2014, that ballot discussion was most instructive. I have made no efforts to collaborate with other Forum members on this issue except to go back
and forth with Kelvin and Aaron here at Microsoft on the best text to offer to represent the Microsoft policy.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Your comments and questions are appreciated, and ultimately we could use an endorser or two of the ballot measure.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Tom<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span style="color:#1F497D">Ballot NNN –expirations of SHA1 certificates (FINAL VERSION)<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><i><span style="font-size:14.0pt;font-family:Cambria-BoldItalic">9.4 Validity Period<o:p></o:p></span></i></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:13.0pt;font-family:Cambria-Bold"><o:p> </o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:13.0pt;font-family:Cambria-Bold">9.4.1 Subscriber Certificates<o:p></o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Times New Roman","serif"">Subscriber Certificates issued after the Effective Date MUST have a Validity Period no greater than 60 months.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Times New Roman","serif"">Except as provided for below, Subscriber Certificates issued after 1 April 2015 MUST have a Validity Period no<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Times New Roman","serif"">greater than 39 months.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Times New Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><u><span style="font-family:"Times New Roman","serif";color:red">Effective 1 November 2014, CAs MUST NOT issue Subscriber Certificates utilizing the SHA-1 algorithm with an Expiry Date greater than 1 January
2017.</span></u><u><span style="font-family:"Times New Roman","serif";color:#00B050">
</span></u><u><span style="font-family:"Times New Roman","serif";color:#1F497D"><o:p></o:p></span></u></p>
<p class="MsoNormal" style="text-autospace:none"><u><span style="font-family:"Times New Roman","serif";color:red"><o:p><span style="text-decoration:none"> </span></o:p></span></u></p>
<p class="MsoNormal" style="text-autospace:none"><u><span style="font-family:"Times New Roman","serif";color:red">Except as provided for below, effective 1 January 2016, CAs MUST NOT issue Subscriber Certificates that utilize the SHA-1 algorithm.</span></u><u><span style="font-family:"Times New Roman","serif";color:#00B050">
<o:p></o:p></span></u></p>
<p class="MsoNormal" style="text-autospace:none"><u><span style="font-family:"Times New Roman","serif"">
<o:p></o:p></span></u></p>
<p class="MsoNormal" style="text-autospace:none"><u><span style="font-family:"Times New Roman","serif";color:red">Effective</span></u><span style="font-family:"Times New Roman","serif";color:red">
</span><span style="font-family:"Times New Roman","serif"">1 April 2015, CAs MAY continue to issue Subscriber Certificates with a Validity Period greater than 39<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Times New Roman","serif"">months but not greater than 60 months provided that the CA documents that the Certificate is for a system or<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Times New Roman","serif"">software that:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Times New Roman","serif"">(a) was in use prior to the Effective Date;<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Times New Roman","serif"">(b) is currently in use by either the Applicant or a substantial number of Relying Parties;<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Times New Roman","serif"">(c) fails to operate if the Validity Period is shorter than 60 months;<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Times New Roman","serif"">(d) does not contain known security risks to Relying Parties; and<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman","serif"">(e) is difficult to patch or replace without substantial economic outlay.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-family:"Times New Roman","serif";color:red">9.4.2 Root CA Certificates<o:p></o:p></span></u></b></p>
<p class="MsoNormal"><u><span style="font-family:"Times New Roman","serif";color:red"><o:p><span style="text-decoration:none"> </span></o:p></span></u></p>
<p class="MsoNormal"><u><span style="color:red">The SHA-1 deprecation policy and Validity Dates DO NOT apply to Root CA certificates. CAs MAY continue to use their existing SHA-1 Root Certificates.
</span></u><u><span lang="EN" style="color:red">CAs MUST use SHA-2 or successor hash algorithms to sign any Subscriber certificates, Subordinate CA certificates, and CRLs effective 1 January 2016.</span><span style="color:red"><o:p></o:p></span></u></p>
<p class="MsoNormal"><u><span style="font-family:"Times New Roman","serif";color:red"><o:p><span style="text-decoration:none"> </span></o:p></span></u></p>
<p class="MsoNormal"><u><span style="font-family:"Times New Roman","serif";color:red"><o:p><span style="text-decoration:none"> </span></o:p></span></u></p>
<p class="MsoNormal"><b><u><span style="font-family:"Times New Roman","serif";color:red">9.4.3 Subordinate CA Certificates<o:p></o:p></span></u></b></p>
<p class="MsoNormal"><u><span style="font-family:"Times New Roman","serif";color:red"><o:p><span style="text-decoration:none"> </span></o:p></span></u></p>
<p class="MsoNormal"><u><span style="font-family:"Times New Roman","serif";color:red">Effective 1 January 2016, CAs MUST NOT issue Subordinate CA Certificates that utilize the SHA-1 algorithm. CAs MUST NOT issue SHA-2 Subscriber certificates under SHA-1 Subordinate
CA Certificates.</span></u><span style="font-family:"Times New Roman","serif";color:red">
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:14.0pt;font-family:"Times New Roman","serif"">Appendix A - Cryptographic Algorithm and Key Requirements (Normative)<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman","serif"">…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Add this note under Table 2, Subordinate CA certificates:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><u><span style="font-family:"Times New Roman","serif";color:red">* SHA-1 MAY be used with RSA keys in accordance with the criteria defined in Section 9.4.3.<o:p></o:p></span></u></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman","serif";color:red"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman","serif"">And amend this note at the end of the 3 tables.
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman","serif";color:red"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Times New Roman","serif"">* SHA-1 MAY be used with RSA keys<span style="color:#1F497D">
</span><u><span style="color:red">in accordance with the criteria defined in Section 9.4.1
</span></u></span><s><span style="font-size:10.0pt;font-family:TimesNewRomanPSMT">until SHA-256 is supported widely by browsers used by a substantial<o:p></o:p></span></s></p>
<p class="MsoNormal"><s><span style="font-size:10.0pt;font-family:TimesNewRomanPSMT">portion of relying-parties worldwide</span></s><span style="font-size:10.0pt;font-family:TimesNewRomanPSMT">.
</span><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>