<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Fri, Feb 3, 2017 at 7:53 PM, Ryan Sleevi via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote"><span class="gmail-">On Fri, Feb 3, 2017 at 7:42 PM, realsky(CHT) <span dir="ltr"><<a href="mailto:realsky@cht.com.tw" target="_blank">realsky@cht.com.tw</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span class="gmail-m_6935990142941520760gmail-"><br></span></div></div></div></blockquote></span><span class="gmail-"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div><font color="#0000ff"> </font></div><div><font color="#0000ff"><br>
</font></div><div><font color="#0000ff">I think most CAs offer their cusomers to migrate SHA-1 SSL certificates to SHA 256 SSL certificates for free. Try their best to call out and e-mail to the customers to encourage them. </font></div></div></div></div></div></blockquote><div><br></div></span><div>A number of CAs had trouble. I think <a href="https://github.com/konklone/shaaaaaaaaaaaaa/issues/24" target="_blank">https://github.com/konklone/<wbr>shaaaaaaaaaaaaa/issues/24</a> - a site Eric Mill put together when Chrome made the UI changes - is a pretty telling example of CAs not being as prepared as they otherwise suggested. More importantly, it highlights that changes didn't happen until they were forced - and a number of customers who actively wanted to be more secure were prevented by the insecure practices and defaults of a number of CAs.</div></div></div></div></blockquote><div><br></div><div>Even rereading that thread is painful. Yes, running <a href="https://shaaaaaaaaaaaaa.com">https://shaaaaaaaaaaaaa.com</a> during the spike of attention to SHA-1 that Chrome's UI change generated got me very well-acquainted with how prepared CAs were to operationally migrate to SHA-2, and the experiences they subjected their customers to during that process. The <a href="http://web.archive.org/web/20141027141746/https://shaaaaaaaaaaaaa.com/">home page was filled with links</a> to workaround and instructions for getting SHA-2 EE certs and intermediates, that generally only the most technically savvy users could hope to follow.</div><div><br></div><div>It seems like people learned a lot from that period, along with how difficult it's been to grant exceptions over 2016. But I honestly don't understand the argument for keeping longer-lived certificates other than "customers want it", which is a very weak argument when customers would clearly be able to tolerate relatively shorter certificates. </div><div><br></div><div>Arguing that a 1-year limit would favor automation and that that favors any particular set of CAs is even weaker -- if pushing customers towards automation represents a threat to a particular CA, that CA should perhaps look carefully at its feature roadmap. Automation is, by any measure, the future of trust and infrastructure, and it should feel very scary to feel business incentives that point in the opposite direction.</div><div><br></div><div>-- Eric</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><a href="https://konklone.com" target="_blank">konklone.com</a> | <a href="https://twitter.com/konklone" target="_blank">@konklone</a><br></div></div></div></div></div></div></div>
</div></div>