<div dir="ltr">Thanks for publishing this, Jody.<div><br></div><div>When reading through, I noticed some inconsistency, so it might help to clarify.</div><div><br></div><div>Under Item 7 of Enforcement in General ( <a href="http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#Enforcement_in_General">http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#Enforcement_in_General</a> ), it says</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">"Microsoft requires CAs to start issuing new OCSP signatures using only the SHA-2 algorithm after January 1, 2016 for SHA-2 SSL certificates"</blockquote><div> </div><div>Under Enforcement Details, <a href="http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#H1_B">http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#H1_B</a>, for OCSP signatures it says</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">"CAs should move to using SHA-2 starting 1/1/2016 for SHA-2 SSL certificates."</blockquote><div><br></div><div>While under Schedule, <a href="http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#Schedule">http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#Schedule</a> </div><div>For OCSP signatures, on the 1/1/2016 date, it says <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">"CAs MUST sign OCSP responses with SHA-2 only"</blockquote><div><br></div><div>I'm guessing the 2/3 majority here wins, which is that beginning 2016/1/1, all SHA-2 signed SSL certificates MUST have their OCSP responses signed with a SHA-2 signature algorithm. Is that correct?</div><div><br></div><div>The confusion that arises is the somewhat weaker language in the Details section ("should move"), although admittedly, I'm accustomed to IETF language where "SHOULD" is more aligned with wishing on rainbows than actual reality :)</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 25, 2015 at 9:36 AM, Jody Cloutier <span dir="ltr"><<a href="mailto:jodycl@microsoft.com" target="_blank">jodycl@microsoft.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div lang="EN-US" link="#0563C1" vlink="#954F72">

<div>

<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif">Microsoft published a new Wiki page that addresses many of the questions this audience has asked regarding SHA-1. Please see

<a href="http://aka.ms/sha1" target="_blank">http://aka.ms/sha1</a> for more information. Our goal is to add to the FAQ section as new questions come up.

<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif">Please let me know if you have any questions.

<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><u></u> <u></u></span></p>

<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Jody Cloutier<u></u><u></u></span></b></p>

<p class="MsoNormal"><i><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif">Senior Security Program Manager<u></u><u></u></span></i></p>

<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><a href="http://aka.ms/rootcert" target="_blank"><b><span style="font-size:9.0pt;color:#0563c1">Microsoft Trusted Root Certificate Program</span></b></a></span><b><u><span style="color:#0563c1"><u></u><u></u></span></u></b></p>

<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:#5b9bd5">O</span></u></b><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif">perating

<b><u><span style="color:#ed7d31">S</span></u></b>ystems <b><u><span style="color:red">G</span></u></b>roup</span><i><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif"> 

</span></i><b><u><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif">G</span></u></b><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif">lobal

<b><u>R</u></b>isk Management and <b><u>C</u></b>ompliance<u><span style="color:#0563c1"><u></u><u></u></span></u></span></p>

<p class="MsoNormal"><a title="send an IM to Stein Dolan"><span style="font-family:"Segoe UI",sans-serif;color:windowtext;text-decoration:none"><img border="0" width="55" height="16" src="cid:image001.png@01D0F775.98F59510" alt="cid:image001.png@01D066D6.E5E48E60"></span></a><a href="tel:+1%20(425)%20705-7566" title="Call Stein Dolan's  Work Number" target="_blank"><span style="font-family:"Segoe UI",sans-serif;color:windowtext;text-decoration:none"><img border="0" width="65" height="16" src="cid:image002.png@01D0F775.98F59510" alt="cid:image002.png@01D066D6.E5E48E60"></span></a><a href="mailto:jodycl@microsoft.com" title="Email Stein Dolan" target="_blank"><span style="font-family:"Segoe UI",sans-serif;color:windowtext;text-decoration:none"><img border="0" width="55" height="16" src="cid:image003.png@01D0F775.98F59510" alt="cid:image003.png@01D066D6.E5E48E60"></span></a><span style="color:#1f497d"><u></u><u></u></span></p>

<p class="MsoNormal"><a href="http://microsoft.com/" target="_blank"><span style="font-size:8.0pt;font-family:"Segoe UI",sans-serif;color:#0072bc;border:none windowtext 1.0pt;padding:0in;text-decoration:none"><img border="0" width="122" height="26" src="cid:image004.png@01D0F775.98F59510" alt="https://brandtools.microsoft.com/Style%20Library/BT/Images/MicrosoftMasterLogo.png"></span></a><span style="font-family:"Segoe Pro""><u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><u></u> <u></u></span></p>

</div>

</div>

<br>_______________________________________________<br>

Public mailing list<br>

<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>

<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>

<br></blockquote></div><br></div>