<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:"Segoe Pro";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Segoe UI",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1151018542;
mso-list-type:hybrid;
mso-list-template-ids:-1147790308 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Jody,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">The Baseline Requirements state “Effective 1 January 2016, CAs MUST NOT issue any new Subscriber certificates or Subordinate CA certificates using the SHA‐1 hash algorithm.” This appears to be more restrictive
than your proposal below and will mitigate collision attacks in about 2 months from now.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I do not understand what the issue with SHA-1 signed certificates which are already issued. They would no longer be subject to a collision attack and there appears to be no risk of a preimage/second-preimage
attack during their validity period. I do not think the latest SHA-1 news has changed this understanding. I think your policy respects the issue with preimage for other certificates and see no reason why it shouldn’t be extended to SSL/TLS certificates. Nevertheless,
we do understand that Windows will deprecate SHA-1 starting 1 January 2017 and this information has been provided to most Subscribers.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Thanks, Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org]
<b>On Behalf Of </b>Jody Cloutier<br>
<b>Sent:</b> Wednesday, October 28, 2015 4:20 PM<br>
<b>To:</b> public@cabforum.org<br>
<b>Cc:</b> Magnus Nyström <mnystrom@microsoft.com>; Nazmus Sakib <mdsakib@microsoft.com><br>
<b>Subject:</b> [cabfpub] Microsoft Proposed Updates to the SHA-1 Deprecation Timeline<br>
<b>Importance:</b> High<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif">In light of the recent news about potential SHA-1 vulnerabilities, Microsoft is considering changes to its SHA-1 deprecation policy, and we would like industry feedback on the ramification.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif">Generally, Microsoft proposes that it will move in the previously-announced January 1, 2017 date at which Windows products would no longer trust SHA-1 certificates issued by roots in the Trusted
Root Program and signed with the Mark of the Web. <b>This proposal would change that date to June 1, 2016.</b><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif">The summary of changes are as follows:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="font-family:"Segoe UI",sans-serif"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-family:"Segoe UI",sans-serif">CAs should move to issuing SHA-2 for signing OCSP responses for SHA-2 SSL certificates. Windows will no longer trust OCSP responses that use SHA-1 for their signature if the corresponding
certificate had the Must Staple extension after January 1, 2016. Windows will no longer trust OCSP responses that use SHA-1 for any SSL certificates after June 1, 2016.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="font-family:"Segoe UI",sans-serif"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-family:"Segoe UI",sans-serif">Windows will no longer trust files with the Mark of the Web attribute that are timestamped with a SHA-1 signature hash after 6/1/2016 on Windows 10 systems.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="font-family:"Segoe UI",sans-serif"><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-family:"Segoe UI",sans-serif">CAs may not issue SHA-1 certificates after December 31, 2016 (this is more restrictive than the current CAB Forum guidelines)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="779" style="width:467.1pt;border-collapse:collapse">
<tbody>
<tr style="height:26.75pt">
<td width="259" valign="top" style="width:155.65pt;border:solid #999999 1.0pt;border-bottom:solid #666666 1.5pt;padding:0in 5.4pt 0in 5.4pt;height:26.75pt">
<p class="MsoNormal" style="line-height:105%"><b>Certificate Type</b><b><span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span><o:p></o:p></b></p>
</td>
<td width="259" valign="top" style="width:155.65pt;border-top:solid #999999 1.0pt;border-left:none;border-bottom:solid #666666 1.5pt;border-right:solid #999999 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:26.75pt">
<p class="MsoNormal" style="line-height:105%"><b>Windows Behavior</b><b><span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span><o:p></o:p></b></p>
</td>
<td width="260" valign="top" style="width:155.8pt;border-top:solid #999999 1.0pt;border-left:none;border-bottom:solid #666666 1.5pt;border-right:solid #999999 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:26.75pt">
<p class="MsoNormal" style="line-height:105%"><b>Microsoft Policy</b><b><span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span><o:p></o:p></b></p>
</td>
</tr>
<tr style="height:41.3pt">
<td width="259" valign="top" style="width:155.65pt;border:solid #999999 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt;height:41.3pt">
<p class="MsoNormal" style="line-height:105%"><b>TLS certificates</b><b><span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span><o:p></o:p></b></p>
</td>
<td width="259" valign="top" style="width:155.65pt;border-top:none;border-left:none;border-bottom:solid #999999 1.0pt;border-right:solid #999999 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:41.3pt">
<p class="MsoNormal" style="line-height:105%">Certificates signed with SHA-1 will be Blocked after 1/1/2017<o:p></o:p></p>
<p class="MsoNormal" style="line-height:105%"><o:p> </o:p></p>
<p class="MsoNormal" style="line-height:105%"><span style="color:red">[Update] Certificates signed with SHA-1 will be Blocked after 6/1/2016</span><span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif;color:red">
</span><o:p></o:p></p>
</td>
<td width="260" valign="top" style="width:155.8pt;border-top:none;border-left:none;border-bottom:solid #999999 1.0pt;border-right:solid #999999 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:41.3pt">
<p class="MsoNormal" style="margin-bottom:2.2pt;line-height:105%">CAs must move all new certs to
<span style="font-family:"Segoe UI",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:105%">SHA-2 after 1/1/2016<span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:105%"><o:p> </o:p></p>
<p class="MsoNormal" style="line-height:105%"><span style="color:red">[Update] CAs must move all new certs to SHA-2 immediately</span><span style="font-family:"Segoe UI",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
<tr style="height:100.45pt">
<td width="259" valign="top" style="width:155.65pt;border:solid #999999 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt;height:100.45pt">
<p class="MsoNormal" style="line-height:105%"><b>Code signing certificates</b><b><span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span><o:p></o:p></b></p>
</td>
<td width="259" valign="top" style="width:155.65pt;border-top:none;border-left:none;border-bottom:solid #999999 1.0pt;border-right:solid #999999 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:100.45pt">
<p class="MsoNormal" style="margin-right:1.45pt;line-height:105%">On Win 7 and above, blocked on 1/1/2020 if time stamped before 1/1/2016, otherwise, blocked after 1/1/2016 for Mark of the Web files.
<span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-right:1.45pt;line-height:105%"><span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-right:1.45pt;line-height:105%"><span style="color:red">[Update] On Win 7 and above, blocked on 1/1/2017 if time stamped before 1/1/2016, otherwise, blocked after 1/1/2016 for Mark of the Web files.<br>
<br>
SmartScreen data may be used to allow certificates with good reputation </span><span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif;color:red"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-right:1.45pt;line-height:105%"><span style="color:black"><o:p> </o:p></span></p>
</td>
<td width="260" valign="top" style="width:155.8pt;border-top:none;border-left:none;border-bottom:solid #999999 1.0pt;border-right:solid #999999 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:100.45pt">
<p class="MsoNormal" style="line-height:105%">CAs should issue new code signing certs with SHA-1 after 1/1/2016 only for developers
<span style="font-family:"Segoe UI",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:.7pt;line-height:105%">targeting <o:p></o:p></p>
<p class="MsoNormal" style="margin-right:1.15pt;text-align:justify;line-height:105%">
Vista/2008, <span style="font-size:11.5pt;line-height:105%">otherwise, move all new certs to SHA2</span><span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span><o:p></o:p></p>
</td>
</tr>
<tr style="height:41.3pt">
<td width="259" valign="top" style="width:155.65pt;border:solid #999999 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt;height:41.3pt">
<p class="MsoNormal" style="line-height:105%"><b>S/MIME certificates</b><b><span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span><o:p></o:p></b></p>
</td>
<td width="259" valign="top" style="width:155.65pt;border-top:none;border-left:none;border-bottom:solid #999999 1.0pt;border-right:solid #999999 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:41.3pt">
<p class="MsoNormal" style="line-height:105%">No OS specific policies. Application policies.<span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span><o:p></o:p></p>
</td>
<td width="260" valign="top" style="width:155.8pt;border-top:none;border-left:none;border-bottom:solid #999999 1.0pt;border-right:solid #999999 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:41.3pt">
<p class="MsoNormal" style="line-height:105%">CAs are recommended to move to SHA-2<span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span><o:p></o:p></p>
</td>
</tr>
<tr style="height:84.7pt">
<td width="259" valign="top" style="width:155.65pt;border:solid #999999 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt;height:84.7pt">
<p class="MsoNormal" style="line-height:105%"><b>Time-stamping certificates</b><b><span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span><o:p></o:p></b></p>
</td>
<td width="259" valign="top" style="width:155.65pt;border-top:none;border-left:none;border-bottom:solid #999999 1.0pt;border-right:solid #999999 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:84.7pt">
<p class="MsoNormal" style="line-height:105%"><span style="font-size:11.5pt;line-height:105%">No changes until SHA-1 preimage is possible</span><span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span><o:p></o:p></p>
</td>
<td width="260" valign="top" style="width:155.8pt;border-top:none;border-left:none;border-bottom:solid #999999 1.0pt;border-right:solid #999999 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:84.7pt">
<p class="MsoNormal" style="line-height:105%">CAs must issue new TS certs with SHA-1 after 1/1/2016 only for developers targeting
<o:p></o:p></p>
<p class="MsoNormal" style="line-height:105%">Vista/2008, otherwise, move all new certs to SHA2<span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span><o:p></o:p></p>
</td>
</tr>
<tr style="height:42.5pt">
<td width="259" valign="top" style="width:155.65pt;border:solid #999999 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt;height:42.5pt">
<p class="MsoNormal" style="line-height:105%"><b>OCSP signing and CRL signing certificates</b><b><span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span><o:p></o:p></b></p>
</td>
<td width="259" valign="top" style="width:155.65pt;border-top:none;border-left:none;border-bottom:solid #999999 1.0pt;border-right:solid #999999 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:42.5pt">
<p class="MsoNormal" style="line-height:105%">No changes until SHA-1 preimage is possible<span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span><o:p></o:p></p>
</td>
<td width="260" valign="top" style="width:155.8pt;border-top:none;border-left:none;border-bottom:solid #999999 1.0pt;border-right:solid #999999 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:42.5pt">
<p class="MsoNormal" style="line-height:105%"><span style="font-size:11.5pt;line-height:105%">No changes until SHA-1 preimage is possible</span><span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span><o:p></o:p></p>
</td>
</tr>
<tr style="height:70.3pt">
<td width="259" valign="top" style="width:155.65pt;border:solid #999999 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt;height:70.3pt">
<p class="MsoNormal" style="line-height:105%"><b>OCSP signatures</b><b><span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span><o:p></o:p></b></p>
</td>
<td width="259" valign="top" style="width:155.65pt;border-top:none;border-left:none;border-bottom:solid #999999 1.0pt;border-right:solid #999999 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:70.3pt">
<p class="MsoNormal" style="margin-right:1.6pt;line-height:105%">On Windows 10 and above for certificates with the Must Staple extension, SHA-1 signatures will not be accepted after 1/1/2016<o:p></o:p></p>
<p class="MsoNormal" style="margin-right:1.6pt;line-height:105%"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-right:1.6pt;line-height:105%">On Windows 10 and above, SHA-1 signatures will not be accepted for any SSL certificate after 1/1/2017
<o:p></o:p></p>
<p class="MsoNormal" style="margin-right:1.6pt;line-height:105%"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-right:1.6pt;line-height:105%"><span style="color:red">[Update] Windows will no longer trust OCSP responses that use SHA-1 for their signature if the corresponding certificate had the Must Staple extension after January 1,
2016. Windows will no longer trust OCSP responses that use SHA-1 for any SSL certificates after June 1, 2016.</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-right:1.6pt;line-height:105%"><span style="font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>
</td>
<td width="260" valign="top" style="width:155.8pt;border-top:none;border-left:none;border-bottom:solid #999999 1.0pt;border-right:solid #999999 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:70.3pt">
<p class="MsoNormal" style="line-height:105%">CAs should move to using SHA-2 starting 1/1/2016 for SHA-2 SSL certificates.<br>
<br>
CAs should prepare to move to SHA-2 for all SSL certificates by 1/1/2017<span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:105%"><span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif"><o:p> </o:p></span></p>
<p class="MsoNormal" style="line-height:105%"><span style="color:red">[Update] CAs should move to issuing SHA-2 for signing OCSP responses for SHA-2 SSL certificates.</span><o:p></o:p></p>
</td>
</tr>
<tr style="height:41.15pt">
<td width="259" valign="top" style="width:155.65pt;border:solid #999999 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt;height:41.15pt">
<p class="MsoNormal" style="line-height:105%"><b>CRL signatures</b><b><span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span></b><b><span style="font-family:"Segoe UI",sans-serif"><o:p></o:p></span></b></p>
</td>
<td width="259" valign="top" style="width:155.65pt;border-top:none;border-left:none;border-bottom:solid #999999 1.0pt;border-right:solid #999999 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:41.15pt">
<p class="MsoNormal" style="line-height:105%">No changes until SHA-1 preimage is possible<span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span><o:p></o:p></p>
</td>
<td width="260" valign="top" style="width:155.8pt;border-top:none;border-left:none;border-bottom:solid #999999 1.0pt;border-right:solid #999999 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:41.15pt">
<p class="MsoNormal" style="line-height:105%">No changes until SHA-1 preimage is possible<span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span><o:p></o:p></p>
</td>
</tr>
<tr style="height:41.3pt">
<td width="259" valign="top" style="width:155.65pt;border:solid #999999 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt;height:41.3pt">
<p class="MsoNormal" style="line-height:105%"><b>Code signing signatures</b><b><span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span><o:p></o:p></b></p>
</td>
<td width="259" valign="top" style="width:155.65pt;border-top:none;border-left:none;border-bottom:solid #999999 1.0pt;border-right:solid #999999 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:41.3pt">
<p class="MsoNormal" style="line-height:105%">No changes until SHA-1 preimage is possible<span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span><o:p></o:p></p>
</td>
<td width="260" valign="top" style="width:155.8pt;border-top:none;border-left:none;border-bottom:solid #999999 1.0pt;border-right:solid #999999 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:41.3pt">
<p class="MsoNormal" style="line-height:105%">No changes until SHA-1 preimage is possible<span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span><o:p></o:p></p>
</td>
</tr>
<tr style="height:55.7pt">
<td width="259" valign="top" style="width:155.65pt;border:solid #999999 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt;height:55.7pt">
<p class="MsoNormal" style="line-height:105%"><b>Time-stamp signatures</b><b><span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span><o:p></o:p></b></p>
</td>
<td width="259" valign="top" style="width:155.65pt;border-top:none;border-left:none;border-bottom:solid #999999 1.0pt;border-right:solid #999999 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:55.7pt">
<p class="MsoNormal" style="line-height:105%">On Win 10 and above, blocked on 1/1/2017 for Mark of the Web files.<span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:105%"><span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif"><o:p> </o:p></span></p>
<p class="MsoNormal" style="line-height:105%"><span style="color:red">[Update] On Win 10 and above, blocked on 6/1/2016 for Mark of the Web files.
<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:105%"><span style="font-family:"Segoe UI",sans-serif;color:black"><o:p> </o:p></span></p>
</td>
<td width="260" valign="top" style="width:155.8pt;border-top:none;border-left:none;border-bottom:solid #999999 1.0pt;border-right:solid #999999 1.0pt;padding:0in 5.4pt 0in 5.4pt;height:55.7pt">
<p class="MsoNormal" style="line-height:105%">CAs should move to using SHA-2 starting 1/1/2016<span style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman",serif">
</span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif">Microsoft is asking for feedback from Forum members on the implications to the industry should we move forward with these changes. Please provide comments before Monday, November 2, 2015 by
replying to this mail.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif">Thank you,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Jody Cloutier<o:p></o:p></span></b></p>
<p class="MsoNormal"><i><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif">Senior Security Program Manager<o:p></o:p></span></i></p>
<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><a href="http://aka.ms/rootcert"><b><span style="font-size:9.0pt">Microsoft Trusted Root Certificate Program</span></b></a></span><b><u><span style="color:#0563C1"><o:p></o:p></span></u></b></p>
<p class="MsoNormal"><a href="sip:jodycl@microsoft.com" title="send an IM to Stein Dolan"><span style="font-family:"Segoe UI",sans-serif;color:windowtext;text-decoration:none"><img border="0" width="55" height="16" id="Picture_x0020_1" src="cid:image001.png@01D111A1.8AB09450" alt="cid:image001.png@01D066D6.E5E48E60"></span></a><a href="tel:+1%20(425)%20705-7566" title="Call Stein Dolan's Work Number"><span style="font-family:"Segoe UI",sans-serif;color:windowtext;text-decoration:none"><img border="0" width="65" height="16" id="Picture_x0020_2" src="cid:image002.png@01D111A1.8AB09450" alt="cid:image002.png@01D066D6.E5E48E60"></span></a><a href="mailto:jodycl@microsoft.com" title="Email Stein Dolan"><span style="font-family:"Segoe UI",sans-serif;color:windowtext;text-decoration:none"><img border="0" width="55" height="16" id="Picture_x0020_3" src="cid:image003.png@01D111A1.8AB09450" alt="cid:image003.png@01D066D6.E5E48E60"></span></a><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><a href="http://microsoft.com/"><span style="font-size:8.0pt;font-family:"Segoe UI",sans-serif;color:#0072BC;border:none windowtext 1.0pt;padding:0in;text-decoration:none"><img border="0" width="122" height="26" id="Picture_x0020_11" src="cid:image004.png@01D111A1.8AB09450" alt="https://brandtools.microsoft.com/Style%20Library/BT/Images/MicrosoftMasterLogo.png"></span></a><span style="font-family:"Segoe Pro""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>
</div>
</body>
</html>