<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Bonjour,</div><div class=""><br class=""></div><div class="">The concerned relying parties can only support TLS1.0 at most, certainly SSL3, probably SSL2, certainly not AES, mostly 3DES/RC2/RC4, only CBC mode, maybe DHE but probably only using standard groups, probably *-export cipher suites (the 40/512 junk category), no SNI, certainly a lot of TLS attacks and CBC failures.</div><div class="">This proposal hopes that the RP will perform revocation checks by OCSP, or maybe no revocation check at all.</div><div class=""><br class=""></div><div class="">All this for 2-7% of user agents, to be confirmed, with a promise that it will be solved by 2019, « I swear ».</div><div class=""><br class=""></div><div class="">Is this serious?</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">
<div class="">Cordialement,</div><div class="">Erwann Abalea</div><div class=""><br class=""></div><br class="Apple-interchange-newline">
</div>
<br class=""><div><blockquote type="cite" class=""><div class="">Le 18 déc. 2015 à 23:21, Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com" class="">jeremy.rowley@digicert.com</a>> a écrit :</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" class="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)" class="">
<style class=""><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:166553596;
mso-list-type:hybrid;
mso-list-template-ids:-1499407732 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div lang="EN-US" link="#0563C1" vlink="#954F72" class="">
<div class="WordSection1"><p class="MsoNormal">Hi everyone, <o:p class=""></o:p></p><p class="MsoNormal"><o:p class=""> </o:p></p><p class="MsoNormal">Attached is a proposal from Cloudflare and Facebook creating LV certificates in the baseline requirements. This is a draft ballot for review that will, of course, change based on the debate in the forum. Although CAs will stop issuing
SHA-1 on 2016/1/1, there isn’t any reason these changes couldn’t go into effect in early January (assuming a passing vote).<o:p class=""></o:p></p><p class="MsoNormal"><o:p class=""> </o:p></p><p class="MsoNormal">If adopted, this ballot would permit continued use of SHA1 certificates past the deprecation deadline (to support older devices) but give newer browsers an easy way to reject SHA1 for users. The ballot also increases the resiliency of
SHA1 certs against attacks by requiring higher entropy serial numbers.<o:p class=""></o:p></p><p class="MsoNormal"><o:p class=""> </o:p></p><p class="MsoNormal">I look forward to your comments.<o:p class=""></o:p></p><p class="MsoNormal"><o:p class=""> </o:p></p><p class="MsoNormal">Thanks,<o:p class=""></o:p></p><p class="MsoNormal">Jeremy<o:p class=""></o:p></p><p class="MsoNormal"><o:p class=""> </o:p></p>
</div>
</div>
<span id="cid:FA83ED2B-0D95-4C23-9822-72AAB82F025C@keynectis-sa.local"><DRAFT_LV_BallotProposal.pdf></span><span id="cid:33A563BD-2E16-4591-8FF1-0B93B7FF36D7@keynectis-sa.local"><DRAFT_LV_BallotProposal.docx></span>_______________________________________________<br class="">Public mailing list<br class=""><a href="mailto:Public@cabforum.org" class="">Public@cabforum.org</a><br class="">https://cabforum.org/mailman/listinfo/public<br class=""></div></blockquote></div><br class=""></body></html>