<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 3, 2017 at 7:42 PM, realsky(CHT) <span dir="ltr"><<a href="mailto:realsky@cht.com.tw" target="_blank">realsky@cht.com.tw</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span class="gmail-"><div><span style="color:rgb(0,0,255)">===></span><br></div></span><div><font color="#0000ff">Ryan, You said you hope Jody can share his graph. Do you mean the discussion in last Fall Redmond F2F meeting as the minute below in Mozilla's news section?</font></div><div><a href="https://cabforum.org/2016/10/19/2016-10-19-20-f2f-meeting-39-minutes/#Mozilla" target="_blank"><font color="#0000ff">https://cabforum.org/2016/10/<wbr>19/2016-10-19-20-f2f-meeting-<wbr>39-minutes/#Mozilla</font></a></div><div><font color="#0000ff"><br>
</font></div><div><font color="#0000ff">Side note based on comments from Microsoft<br>
•MS shows 20M sites with SHA-1 where as FF counts traffic<br>
•Why do this now vs. waiting a year, that’s the rush?<br>
•Wants to work with other browsers on timing. Google might have different pain thresholds. Goal is to figure out we get proper user feedback and that stakeholders are not screaming.</font></div></div></div></div></div></blockquote><div><br></div><div>There were several graphs, but one of them examined the validity period of the certificates they were seeing; that is, when do these certs naturally expire.</div><div><br></div><div>As captured in the remark, the point was "Too many valid certs out there" that were causing discomfort in disabling SHA-1, which would break them.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span class="gmail-"><div>The no-SHA-1 requirement came in force January 2016 - not 2015. We passed the Ballot in 2015, following Microsoft's announced deprecation in Nov 12, 2013 - <a href="https://technet.microsoft.com/en-us/library/security/2880823.aspx" target="_blank">https://technet.microsoft.<wbr>com/en-us/library/security/<wbr>2880823.aspx</a></div><div><br>
</div></span><div><font color="#0000ff">==></font></div><div><font color="#0000ff">The SHA-1 sunset ballot was passed on 16 October 2014, not 2015. </font></div><div><font color="#0000ff">Please see </font></div><div><a href="https://cabforum.org/2014/10/16/ballot-118-sha-1-sunset/" target="_blank"><font color="#0000ff">https://cabforum.org/2014/10/<wbr>16/ballot-118-sha-1-sunset/</font></a></div></div></div></div></div></blockquote><div><br></div><div>Thanks; an unintentional typo but that still highlights it took a year for the Forum to agree (even after a root program required it), and it took 2 years and some change before browsers disabled it, and it *still* broke (and breaks) a number of sites.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div><font color="#0000ff"> </font></div><div><font color="#0000ff"><br>
</font></div><div><font color="#0000ff">I think most CAs offer their cusomers to migrate SHA-1 SSL certificates to SHA 256 SSL certificates for free. Try their best to call out and e-mail to the customers to encourage them. </font></div></div></div></div></div></blockquote><div><br></div><div>A number of CAs had trouble. I think <a href="https://github.com/konklone/shaaaaaaaaaaaaa/issues/24">https://github.com/konklone/shaaaaaaaaaaaaa/issues/24</a> - a site Eric Mill put together when Chrome made the UI changes - is a pretty telling example of CAs not being as prepared as they otherwise suggested. More importantly, it highlights that changes didn't happen until they were forced - and a number of customers who actively wanted to be more secure were prevented by the insecure practices and defaults of a number of CAs.</div></div></div></div>