<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=iso-8859-1"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";
        color:black;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";
        color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";
        color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";
        color:black;}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:Consolas;
        color:black;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
span.EmailStyle22
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle23
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle24
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.EmailStyle25
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle26
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.EmailStyle27
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle28
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle29
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;
        font-weight:normal;
        font-style:normal;}
span.EmailStyle30
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;
        font-weight:normal;
        font-style:normal;}
span.EmailStyle31
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle32
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;
        font-weight:normal;
        font-style:normal;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:1426146407;
        mso-list-type:hybrid;
        mso-list-template-ids:-479973720 1612877824 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
        {mso-level-start-at:2;
        mso-level-number-format:bullet;
        mso-level-text:-;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:"Calibri","sans-serif";
        mso-fareast-font-family:Calibri;
        mso-bidi-font-family:"Times New Roman";}
@list l0:level2
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:"Courier New";}
@list l0:level3
        {mso-level-number-format:bullet;
        mso-level-text:\F0A7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Wingdings;}
@list l0:level4
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Symbol;}
@list l0:level5
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:"Courier New";}
@list l0:level6
        {mso-level-number-format:bullet;
        mso-level-text:\F0A7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Wingdings;}
@list l0:level7
        {mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Symbol;}
@list l0:level8
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:"Courier New";}
@list l0:level9
        {mso-level-number-format:bullet;
        mso-level-text:\F0A7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Wingdings;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks, Anoosh. Here’s another item that we’re struggling with, and we’d love to get your assistance.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Microsoft initially said that SHA-1 timestamping would be EOLed at the end of 2015 (we currently run two such services).  Microsoft later said it was going to be allowed after 2016.  Can you clarify this?  The messaging seem inconsistent.  We’re working to stand up a SHA-256 TSA but if all SHA1 timestamps cannot be used after the end of this year it makes our transition a bit more urgent.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>And I’m sure you realize that we can’t just simply move to a SHA-256 TSA right now because code with those timestamps can’t be used on older Windows versions. So we’d like to understand if you have deadlines for when Windows will stop accepting<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>          </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Code signed with a SHA-1 CS cert and a SHA-1 timestamp<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>          </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Code signed with a SHA-2 CS cert and a SHA-1 timestamp<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>And if it will depend on the validity end date of the CS cert, please explain.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-Rick<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-left:.5in'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> Anoosh Saboori [mailto:ansaboor@microsoft.com] <br><b>Sent:</b> Monday, March 23, 2015 12:35 PM<br><b>To:</b> Rick Andrews; Erwann Abalea; public@cabforum.org<br><b>Subject:</b> RE: [cabfpub] Updates to Microsoft SHA-1 deprecation<o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I am consolidating the feedbacks and get back to you shortly. </span><o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-left:.5in'><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Rick Andrews<br><b>Sent:</b> Monday, March 23, 2015 10:52 AM<br><b>To:</b> Erwann Abalea; <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> Re: [cabfpub] Updates to Microsoft SHA-1 deprecation</span><o:p></o:p></p></div></div><p class=MsoNormal style='margin-left:.5in'> <o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks, Erwann. I missed that.</span><o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Two questions for Anoosh:</span><o:p></o:p></p><p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>1)</span><span style='font-size:7.0pt;color:#1F497D'>      </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>What’s the rationale for 1/1/2016? I’m almost certain that Tom said it wouldn’t be required until 1/1/2017.</span><o:p></o:p></p><p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>2)</span><span style='font-size:7.0pt;color:#1F497D'>      </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Echoing Bruce’s comment, is there any way that you can pull all the details together in a more understandable format? IMO, I shouldn’t have to read through all 5 pages of comments to see what the policy is. It’s great that Microsoft accepts comments (and answers them!) but if someone posts a question it probably means that the policy statement is lacking, and should be updated.</span><o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-Rick</span><o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-left:1.0in'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Erwann Abalea<br><b>Sent:</b> Monday, March 23, 2015 9:05 AM<br><b>To:</b> <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> Re: [cabfpub] Updates to Microsoft SHA-1 deprecation</span><o:p></o:p></p></div></div><p class=MsoNormal style='margin-left:1.0in'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:1.0in'><a href="http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx#pi47623=2">http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx#pi47623=2</a><br><br>CRLs will be SHA2-signed by 01/01/2016. See responses by "Amerk [MSFT]".<br><br><br><o:p></o:p></p><pre style='margin-left:1.0in'>-- <o:p></o:p></pre><pre style='margin-left:1.0in'>Erwann ABALEA<o:p></o:p></pre><pre style='margin-left:1.0in'> <o:p></o:p></pre><div><p class=MsoNormal style='margin-left:1.0in'>Le 23/03/2015 16:57, Rick Andrews a écrit :<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Bruce,</span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>At the Beijing meeting, Tom Albertson said that by 1/1/2017, even CRLs for SHA-1 roots had to be signed with SHA-2. </span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Anoosh, I assume that’s still Microsoft’s policy.</span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-Rick</span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-left:1.5in'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Bruce Morton<br><b>Sent:</b> Monday, March 23, 2015 7:40 AM<br><b>To:</b> Anoosh Saboori<br><b>Cc:</b> CABFPub<br><b>Subject:</b> Re: [cabfpub] Updates to Microsoft SHA-1 deprecation</span><o:p></o:p></p></div></div><p class=MsoNormal style='margin-left:1.5in'> <o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hi Anoosh,</span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I might be the only one, but I am a little confused regarding the Windows hashing requirements. It would be great if there was a matrix to show/confirm your requirements per Windows version.</span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I am thinking that the following must be covered:</span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoListParagraph style='margin-left:2.0in;text-indent:-.25in'><span style='font-size:11.0pt;font-family:Symbol;color:#1F497D'>·</span><span style='font-size:7.0pt;color:#1F497D'>         </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>SSL certificates</span><o:p></o:p></p><p class=MsoListParagraph style='margin-left:2.0in;text-indent:-.25in'><span style='font-size:11.0pt;font-family:Symbol;color:#1F497D'>·</span><span style='font-size:7.0pt;color:#1F497D'>         </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Code Signing certificates</span><o:p></o:p></p><p class=MsoListParagraph style='margin-left:2.0in;text-indent:-.25in'><span style='font-size:11.0pt;font-family:Symbol;color:#1F497D'>·</span><span style='font-size:7.0pt;color:#1F497D'>         </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>S/MIME certificates</span><o:p></o:p></p><p class=MsoListParagraph style='margin-left:2.0in;text-indent:-.25in'><span style='font-size:11.0pt;font-family:Symbol;color:#1F497D'>·</span><span style='font-size:7.0pt;color:#1F497D'>         </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Time-stamping certificates</span><o:p></o:p></p><p class=MsoListParagraph style='margin-left:2.0in;text-indent:-.25in'><span style='font-size:11.0pt;font-family:Symbol;color:#1F497D'>·</span><span style='font-size:7.0pt;color:#1F497D'>         </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>OCSP signing certificates</span><o:p></o:p></p><p class=MsoListParagraph style='margin-left:2.0in;text-indent:-.25in'><span style='font-size:11.0pt;font-family:Symbol;color:#1F497D'>·</span><span style='font-size:7.0pt;color:#1F497D'>         </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Code signing signatures</span><o:p></o:p></p><p class=MsoListParagraph style='margin-left:2.0in;text-indent:-.25in'><span style='font-size:11.0pt;font-family:Symbol;color:#1F497D'>·</span><span style='font-size:7.0pt;color:#1F497D'>         </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Time-stamp signatures</span><o:p></o:p></p><p class=MsoListParagraph style='margin-left:2.0in;text-indent:-.25in'><span style='font-size:11.0pt;font-family:Symbol;color:#1F497D'>·</span><span style='font-size:7.0pt;color:#1F497D'>         </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>CRL signatures</span><o:p></o:p></p><p class=MsoListParagraph style='margin-left:2.0in;text-indent:-.25in'><span style='font-size:11.0pt;font-family:Symbol;color:#1F497D'>·</span><span style='font-size:7.0pt;color:#1F497D'>         </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>OCSP signatures</span><o:p></o:p></p><p class=MsoListParagraph style='margin-left:2.0in;text-indent:-.25in'><span style='font-size:11.0pt;font-family:Symbol;color:#1F497D'>·</span><span style='font-size:7.0pt;color:#1F497D'>         </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>there must be more …</span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>An issue that I want to understand is, since some certificates can be SHA-1, can the CRL/OCSP response be signed with a SHA-1 certificate? Can the signature be SHA-1? We would need to understand this for both root and issuing CAs.</span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If we can nail this down, then it will be easier to draft a spec for our implementation teams.</span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks, Bruce.</span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-left:1.5in'><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> Anoosh Saboori [<a href="mailto:ansaboor@microsoft.com">mailto:ansaboor@microsoft.com</a>] <br><b>Sent:</b> Saturday, March 21, 2015 8:29 PM<br><b>To:</b> Bruce Morton<br><b>Cc:</b> CABFPub<br><b>Subject:</b> RE: [cabfpub] Updates to Microsoft SHA-1 deprecation</span><o:p></o:p></p></div></div><p class=MsoNormal style='margin-left:1.5in'> <o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Windows enforcement dates (i.e., date at which SHA-1 certificates will be rejected by Windows) only apply to SSL and code signing certificates. All other types of certificates will be rejected on Windows side when SHA-1 pre-image attacks are deemed feasible by Microsoft.</span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Anoosh</span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><a name="_MailEndCompose"></a><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-left:1.5in'><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> Bruce Morton [<a href="mailto:bruce.morton@entrust.com">mailto:bruce.morton@entrust.com</a>] <br><b>Sent:</b> Friday, March 20, 2015 6:47 PM<br><b>To:</b> Anoosh Saboori<br><b>Cc:</b> CABFPub<br><b>Subject:</b> Re: [cabfpub] Updates to Microsoft SHA-1 deprecation</span><o:p></o:p></p></div></div><p class=MsoNormal style='margin-left:1.5in'> <o:p></o:p></p><div><p class=MsoNormal style='margin-left:1.5in'>Hi Anoosh,<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:1.5in'> <o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:1.5in'>Thank you for the update.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:1.5in'> <o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:1.5in'>I don't think the policy for S/MIME certificates has been stated. I see some discussion in the comments. Could you also advise how the SHA-1 deprecation policy applies to S/MIME certificates. <o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:1.5in'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:1.5in'>Thanks, Bruce.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:1.5in'><br>On Mar 20, 2015, at 8:57 PM, Anoosh Saboori <<a href="mailto:ansaboor@microsoft.com">ansaboor@microsoft.com</a>> wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Hello,</span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>I would like to inform you that Microsoft has made update to its SHA-1 deprecation policy to accommodate developers targeting Vista/Server 2008. Please see below.</span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><a href="http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx">http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx</a> </span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Anoosh</span><o:p></o:p></p><p class=MsoNormal style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p></div></blockquote><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='margin-left:1.5in'>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p></div></blockquote><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:1.0in'><br><br><br><o:p></o:p></p><pre style='margin-left:1.0in'>_______________________________________________<o:p></o:p></pre><pre style='margin-left:1.0in'>Public mailing list<o:p></o:p></pre><pre style='margin-left:1.0in'><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></pre><pre style='margin-left:1.0in'><a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></pre></blockquote><p class=MsoNormal style='margin-left:1.0in'> <o:p></o:p></p></div></body></html>