<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 29, 2015 at 3:35 PM, Jody Cloutier <span dir="ltr"><<a href="mailto:jodycl@microsoft.com" target="_blank">jodycl@microsoft.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11pt;font-family:'Segoe UI',sans-serif;color:rgb(31,73,125)">Hi Ryan,
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:'Segoe UI',sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:'Segoe UI',sans-serif;color:rgb(31,73,125)">I talked to Sakib about this, and we decided to change "CAs MUST sign OCSP responses with SHA-2 only" to "CAs SHOULD sign OCSP responses with SHA-2 only" on
January 1, 2016, because Windows will not actually enforce on this date. <u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:'Segoe UI',sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:'Segoe UI',sans-serif;color:rgb(31,73,125)">Check out the update.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:'Segoe UI',sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:'Segoe UI',sans-serif;color:rgb(31,73,125)">Jody<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:'Segoe UI',sans-serif;color:rgb(31,73,125)"><u></u> </span></p></div></div></blockquote><div><br></div><div><br></div><div>Jody,</div><div><br></div><div>Thanks for the quick response. I realize there's two parts to this - what the Microsoft root program expects, and what Windows will enforce. It's perfectly reasonable to expect something that isn't (yet) enforced - the Baseline Requirements are a great example of collaborating on setting expectations, even if we don't all programatically enforce them (e.g. validity period ranges of certificates, which only Chrome enforces, even though all of us expect it by virtue of the BRs)</div><div><br></div><div>With the new update, I want to make sure I'm reading this correctly:</div><div><br></div><div><a href="http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#Enforcement_in_General">http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#Enforcement_in_General</a><br></div><div>Under Bullet 7 (typod OSSP, btw), the Microsoft *policy* is that OCSP signatures must use SHA-2 beginning 2016/01/01</div><div><br></div><div>This is "Microsoft requires CAs to start issuing new OCSP signatures using only the SHA-2 algorithm after January 1, 2016 for SHA-2 SSL certificates"</div><div><br></div><div>This seems to conflict with Enforcement Details section, that describes the difference between Windows Behaviour and Microsoft Policy ( <a href="http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#H1_B">http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#H1_B</a> )</div><div><br></div><div>which is that Microsoft policy is that CAs should move to SHA-2 (but presumably, if they should, it's not that they must). This seems consistent with your updated timeline under the Schedule section, which explicitly calls it out as SHOULD.</div><div><br></div><div>So I guess the ambiguity is whether the "requires" in Enforcement in General is a MUST or if it's a SHOULD.</div><div><br></div><div>I think the rest is clear (SHA-2 is required *and* enforced starting 2016/01/01 for anything with Must-Staple; SHA-2 is required *and* enforced on 2017/01/01), but it's a question about whether SHA-2 is required *but not* enforced starting 2016/01/01 - Schedule and Enforcement are clear that it's not enforced, but "Enforcement in General" is inconsistent with them both with regards to requirements of Microsoft Policy.</div></div></div></div>