<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>I think the idea would be to take the SHOULD NOT from that second paragraph and make it a MUST NOT. <br><br>Sent from my iPhone. Please excuse brevity. </div><div><br>On Oct 14, 2015, at 14:04, Geoff Keating <<a href="mailto:geoffk@apple.com">geoffk@apple.com</a>> wrote:<br><br></div><blockquote type="cite"><div><meta http-equiv="Content-Type" content="text/html charset=utf-8"><br class=""><div><blockquote type="cite" class=""><div class="">On 14 Oct 2015, at 10:29 AM, Gervase Markham <<a href="mailto:gerv@mozilla.org" class="">gerv@mozilla.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">On 12/10/15 19:19, Rick Andrews wrote:<br class=""><blockquote type="cite" class="">Symantec and the endorsers withdraw this ballot.<br class=""></blockquote><br class="">I'm not sad to see this ballot go, but there was one aspect of it which<br class="">seems worth preserving:<br class=""><br class=""><blockquote type="cite" class="">Effective 1 January 2016, CAs MUST NOT issue Subscriber Certificates <br class="">utilizing the SHA‐1 algorithm with an Expiry Date greater than 1 <br class="">January 2017. Any SHA-1 Subscriber Certificates issued after 1 <br class="">January 2016 must be signed by a Subordinate CA certificate with a <br class="">basicConstraints pathLen=0.”.<br class=""></blockquote><br class="">If this provision is acceptable as part of the larger change, it should<br class="">be acceptable on its own. While browsers are able to reject such certs,<br class="">and all major ones have stated that they will do so, forbidding their<br class="">issuance would reduce the number of surprised or upset website owners on<br class="">1st January 2017.<br class=""><br class="">So I am minded to propose a ballot containing only this language. Comments?<br class=""></div></div></blockquote></div><br class=""><div class="">The current position is:</div><div class=""></div><blockquote type="cite" class=""><div class=""><br class=""></div><div class="">
<div class="page" title="Page 42">
<div class="layoutArea">
<div class="column"><p class=""><span style="font-size:10.000000pt;font-family:'Cambria'" class="">Effective 1 January 2016, CAs MUST NOT issue any new Subscriber certificates or Subordinate CA certificates
using the SHA‐1 hash algorithm. CAs MAY continue to sign certificates to verify OCSP responses using SHA1
until 1 January 2017. This Section 7.1.3 does not apply to Root CA or CA cross certificates. CAs MAY continue
to use their existing SHA‐1 Root Certificates. SHA‐2 Subscriber certificates SHOULD NOT chain up to a SHA‐1
Subordinate CA Certificate.
</span></p><p class=""><span style="font-size:10.000000pt;font-family:'Cambria'" class="">Effective 16 January 2015, CAs SHOULD NOT issue Subscriber Certificates utilizing the SHA‐1 algorithm with
an Expiry Date greater than 1 January 2017 because Application Software Providers are in the process of
deprecating and/or removing the SHA‐1 algorithm from their software, and they have communicated that
CAs and Subscribers using such certificates do so at their own risk. </span></p></div></div></div></div></blockquote><div class=""><div class="page" title="Page 42"><div class="layoutArea"><div class="column">
</div>
</div>
</div></div><div class=""><br class=""></div><div class="">so this would change the second paragraph to say ‘Effective 1 January 2016, CAs MUST NOT…’, correct? But that’s pointless, because the first paragraph already says that.</div></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Public mailing list</span><br><span><a href="mailto:Public@cabforum.org">Public@cabforum.org</a></span><br><span><a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a></span><br></div></blockquote></body></html>