<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">SSC votes: "Yes".<br>
<br>
Thanks,<br>
M.D.<br>
<br>
On 10/2/2014 10:55 PM, Ben Wilson wrote:<br>
</div>
<blockquote
cite="mid:0713b3ac797947e5bdadd7ee17db4b65@EX2.corp.digicert.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">Ballot 118 - SHA1 Sunset</span></b><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">Kelvin Yiu of Microsoft made
the following motion, and Kirk Hall from Trend Micro and
Ryan Sleevi from Google have endorsed it. <o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">Reason for Ballot</span></b><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">
<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">Over the last year or two,
several application software providers have announced
deprecation of the SHA-1 algorithm in their software. <o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">-- Motion Begins --
<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">A. In the Baseline
Requirements, insert the following new section 9.4.2:
<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><u><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">9.4.2 SHA-1 Validity
Period
<o:p></o:p></span></u></b></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><u><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">Effective 1 January 2016,
CAs MUST NOT issue any new Subscriber certificates or
Subordinate CA certificates using the SHA-1 hash
algorithm. CAs MAY continue to sign certificates to verify
OCSP responses using SHA1 until 1 January 2017. This
Section 9.4.2 does not apply to Root CA or CA cross
certificates. CAs MAY continue to use their existing SHA-1
Root Certificates. SHA-2 Subscriber certificates SHOULD
NOT chain up to a SHA-1 Subordinate CA Certificate.
<o:p></o:p></span></u></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><u><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">Effective 16 January 2015,
CAs SHOULD NOT issue Subscriber Certificates utilizing the
SHA-1 algorithm with an Expiry Date greater than 1 January
2017 because Application Software Providers are in the
process of deprecating and/or removing the SHA-1 algorithm
from their software, and they have communicated that CAs
and Subscribers using such certificates do so at their own
risk. <o:p></o:p></span></u></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">B. In Appendix A of the
Baseline Requirements - Cryptographic Algorithm and Key
Requirements (Normative), add this note under Table 2,
Subordinate CA certificates: <o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><u><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">* SHA-1 MAY be used with
RSA keys in accordance with the criteria defined in
Section 9.4.2.
<o:p></o:p></span></u></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">And amend this note at the
end of each of the 3 tables.
<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">* SHA-1 MAY be used with RSA
keys in accordance with
<u>the criteria defined in Section 9.4.2</u> <s>until
SHA-256 is supported widely by browsers used by a
substantial portion of relying-parties worldwide</s>.
<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">-- Motion Ends --
<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">The review period for this
ballot shall commence at 2200 UTC on Thursday, 2 October
2014, and will close at 2200 UTC on Thursday, 9 October
2014. Unless the motion is withdrawn during the review
period, the voting period will start immediately thereafter
and will close at 2200 UTC on Thursday, 16 October 2014.
Votes must be cast by posting an on-list reply to this
thread. A vote in favor of the motion must indicate a clear
'yes' in the response. A vote against must indicate a clear
'no' in the response. A vote to abstain must indicate a
clear 'abstain' in the response. Unclear responses will not
be counted. The latest vote received from any representative
of a voting member before the close of the voting period
will be counted. Voting members are listed here:
<a moz-do-not-send="true"
href="https://cabforum.org/members/"><span
style="color:blue">https://cabforum.org/members/</span></a>
In order for the motion to be adopted, two thirds or more of
the votes cast by members in the CA category and greater
than 50% of the votes cast by members in the browser
category must be in favor. Quorum is currently nine (9)
members– at least nine members must participate in the
ballot, either by voting in favor, voting against, or
abstaining.
<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>