<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Segoe UI",sans-serif;
color:#1F497D;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Segoe UI",sans-serif;color:#1F497D">Hi Ryan,
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Segoe UI",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Segoe UI",sans-serif;color:#1F497D">I talked to Sakib about this, and we decided to change "CAs MUST sign OCSP responses with SHA-2 only" to "CAs SHOULD sign OCSP responses with SHA-2 only" on
January 1, 2016, because Windows will not actually enforce on this date. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Segoe UI",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Segoe UI",sans-serif;color:#1F497D">Check out the update.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Segoe UI",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Segoe UI",sans-serif;color:#1F497D">Jody<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Segoe UI",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Ryan Sleevi [mailto:sleevi@google.com]
<br>
<b>Sent:</b> Friday, September 25, 2015 4:10 PM<br>
<b>To:</b> Jody Cloutier <jodycl@microsoft.com><br>
<b>Cc:</b> public@cabforum.org; Microsoft Trusted Root Certificate Program <trustcert@microsoft.com><br>
<b>Subject:</b> Re: [cabfpub] SHA-1 Wiki Posted<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Thanks for publishing this, Jody.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">When reading through, I noticed some inconsistency, so it might help to clarify.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Under Item 7 of Enforcement in General ( <a href="http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#Enforcement_in_General">http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#Enforcement_in_General</a>
), it says<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal">"Microsoft requires CAs to start issuing new OCSP signatures using only the SHA-2 algorithm after January 1, 2016 for SHA-2 SSL certificates"<o:p></o:p></p>
</blockquote>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Under Enforcement Details, <a href="http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#H1_B">http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#H1_B</a>,
for OCSP signatures it says<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal">"CAs should move to using SHA-2 starting 1/1/2016 for SHA-2 SSL certificates."<o:p></o:p></p>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">While under Schedule, <a href="http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#Schedule">http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#Schedule</a> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">For OCSP signatures, on the 1/1/2016 date, it says <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal">"CAs MUST sign OCSP responses with SHA-2 only"<o:p></o:p></p>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I'm guessing the 2/3 majority here wins, which is that beginning 2016/1/1, all SHA-2 signed SSL certificates MUST have their OCSP responses signed with a SHA-2 signature algorithm. Is that correct?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The confusion that arises is the somewhat weaker language in the Details section ("should move"), although admittedly, I'm accustomed to IETF language where "SHOULD" is more aligned with wishing on rainbows than actual reality :)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Fri, Sep 25, 2015 at 9:36 AM, Jody Cloutier <<a href="mailto:jodycl@microsoft.com" target="_blank">jodycl@microsoft.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Segoe UI",sans-serif">Microsoft published a new Wiki page that addresses many of the questions this audience has asked regarding SHA-1. Please see
<a href="http://aka.ms/sha1" target="_blank">http://aka.ms/sha1</a> for more information. Our goal is to add to the FAQ section as new questions come up.
</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Segoe UI",sans-serif"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Segoe UI",sans-serif">Please let me know if you have any questions.
</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Segoe UI",sans-serif"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Segoe UI",sans-serif"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-family:"Segoe UI",sans-serif">Jody Cloutier</span></b><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif">Senior Security Program Manager</span></i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Segoe UI",sans-serif"><a href="http://aka.ms/rootcert" target="_blank"><b><span style="font-size:9.0pt;color:#0563C1">Microsoft Trusted Root Certificate
Program</span></b></a></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><u><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:#5B9BD5">O</span></u></b><span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif">perating
<b><u><span style="color:#ED7D31">S</span></u></b>ystems <b><u><span style="color:red">G</span></u></b>roup</span><i><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif">
</span></i><b><u><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif">G</span></u></b><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif">lobal
<b><u>R</u></b>isk Management and <b><u>C</u></b>ompliance</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Segoe UI",sans-serif"><img border="0" width="55" height="16" id="_x0000_i1025" src="cid:image001.png@01D0FACC.79AA7130" alt="cid:image001.png@01D066D6.E5E48E60"></span><a href="tel:+1%20(425)%20705-7566" target="_blank" title="Call Stein Dolan's Work Number"><span style="font-family:"Segoe UI",sans-serif;color:windowtext;text-decoration:none"><img border="0" width="65" height="16" id="_x0000_i1026" src="cid:image002.png@01D0FACC.79AA7130" alt="cid:image002.png@01D066D6.E5E48E60"></span></a><a href="mailto:jodycl@microsoft.com" target="_blank" title="Email Stein Dolan"><span style="font-family:"Segoe UI",sans-serif;color:windowtext;text-decoration:none"><img border="0" width="55" height="16" id="_x0000_i1027" src="cid:image003.png@01D0FACC.79AA7130" alt="cid:image003.png@01D066D6.E5E48E60"></span></a><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><a href="http://microsoft.com/" target="_blank"><span style="font-size:8.0pt;font-family:"Segoe UI",sans-serif;color:#0072BC;border:none windowtext 1.0pt;padding:0in;text-decoration:none"><img border="0" width="122" height="26" id="_x0000_i1028" src="cid:image004.png@01D0FACC.79AA7130" alt="https://brandtools.microsoft.com/Style%20Library/BT/Images/MicrosoftMasterLogo.png"></span></a><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Segoe UI",sans-serif"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Segoe UI",sans-serif"> </span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>