<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Sorry, allow me to clarify:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>On #1, I wouldn’t refer to them as “proponents of SHA-1 certificates” as that’s not what they are. They are organizations that are having trouble replacing all their SHA-1 certificates by Jan 1, 2016. I think your statement in #2 below reflects their question. And specifically the threat model to new issuance that expire on the same date as current SHA-1 certificates.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>On #2, yes, apparently there are several use cases (large deployments) of publicly trusted TLS certificates that are not used within browser environments and in which upgrading to SHA-2 requires additional time to change out hardware, software, etc. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I hope that provides some clarity. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Dean<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Sent:</b> Monday, October 19, 2015 3:57 PM<br><b>To:</b> Dean Coclin<br><b>Cc:</b> public@cabforum.org<br><b>Subject:</b> Re: [cabfpub] Ballot 152 - Issuance of SHA-1 certificates through 2016)<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Mon, Oct 19, 2015 at 12:48 PM, Dean Coclin <<a href="mailto:Dean_Coclin@symantec.com" target="_blank">Dean_Coclin@symantec.com</a>> wrote:<o:p></o:p></p><p class=MsoNormal>Despite this latest news and the withdrawal of the current ballot, I have<br>heard increasing calls from very large enterprises (Fortune 50) and<br>Governments that state the issue previously described, that is, the problem<br>in replacing high numbers of SHA1 certs before Dec 31 2015, doesn't go away.<br><br>Two issues which they feel have not adequately been described in threat<br>models:<br><br>1. The prohibition of issuing SHA1 certs after Dec 31, 2015 that still<br>expire by the existing deadline (Dec 31, 2016).<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I'm not sure I follow what you're requesting here. I can see several ways of interpreting this:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>1) Proponents of SHA-1 certificates do not feel they adequately understand why such issuance is prohibited beginning Jan 1, 2016.<o:p></o:p></p></div><div><p class=MsoNormal>2) Proponents of SHA-1 certificates do not feel they adequately understand why such issuance is prohibited beginning Jan 1, 2016 when existing certificates are allowed to have validity periods carrying on past that date.<o:p></o:p></p></div><div><p class=MsoNormal>3) Other<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Could you clarify?<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><p class=MsoNormal>2. The prohibition of issuing non-browser based SHA-1 certs beyond Dec 31,<br>2015. This appears to be a huge issue, the scope of which is still being<br>quantified. (Some may say that they shouldn't have been issuing from public<br>roots but this started way before the CA/B Forum)<o:p></o:p></p></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>To make sure I understand, is it fair to restate this as "Proponents of SHA-1 issuance do not understand why it is prohibited beginning Jan 1, 2016 for certificates that are used for SSL/TLS but not used within browser environments"? <o:p></o:p></p></div></div></div></div></div></body></html>