[cabfpub] SHA-1 changes and certificate lifetimes

Tom Albertson tomalb at microsoft.com
Thu Nov 14 15:33:36 MST 2013


Remember that 39 months is the maximum - to the extent CABF maintains certificate lifetimes for code signing certs, issuance of SHA1 code signing certs will have to end by 1 Jan 2016, or just over 25 months.  39 month maximum SHA2 code signing certs should be no problem - for SHA1 code signing certs no more than 24 months should be the rule immediately, transitioning to perhaps a 12 month expiration as we approach 2016.  SHA1 code signing and SSL certs have different schedules - my best advice to CAs is to avoid strategies that leave you with lots of time valid sha1 certs come 2016 and 2017.  

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Thursday, November 14, 2013 2:12 PM
To: 'Gervase Markham'; 'Wayne Thayer'; 'CABFPub'
Subject: Re: [cabfpub] SHA-1 changes and certificate lifetimes

I agree with Gerv and support moving towards 39 month certs with the SHA-2 transition. Every time the Forum wants to make a security improvement, there is a significant lag while we wait for existing certs to expire.  Reducing the time to 39 months keeps customers from having to re-purchase and install certificates too frequently while letting the Forum set more reasonable security update cycles. 

Jeremy
-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
Sent: Thursday, November 14, 2013 3:14 AM
To: Wayne Thayer; CABFPub
Subject: Re: [cabfpub] SHA-1 changes and certificate lifetimes

On 13/11/13 19:30, Wayne Thayer wrote:
> I still don't understand how this proposal is connected to the new
> SHA-2 rules. 

AIUI, one big reason we did not have an earlier transition date to 39-month max lifetime is that it would have required ringing up a load of customers and telling them to change their currently-working and unexpired certs. Now, we have to do that anyway, so it makes this objection no longer relevant.

My underlying assumption is that the CAB Forum wanted to make this transition sooner but was prevented from doing so by concerns such as this.
Now this concern is not relevant, we can make the transition sooner. If, of course, you are not of the opinion that we should make the transition to 39 months as soon as possible, then you will not agree with the logic of doing it now rather than in April 2015. :-)

>>> In addition, reducing the allowed lifetime actually makes it harder 
>>> to transition longer duration certs to SHA-2.  If a CA issues a 5 
>>> year SHA-1 cert today and then can't reissue it with
>>> SHA-2 for the full term starting on Jan 1, then perhaps the least 
>>> bad choice is to wait until the remaining lifetime of the cert is 
>>> less than 39 months.
>> 
>> That would be an entirely reasonable thing to do.
> 
> It seems to me that a more reasonable thing would be to start 
> transitioning customers with these certs to SHA-2 as soon as possible.

And if you are replacing their cert anyway, my logic runs, let's replace it with one which meets the new max duration criteria that we would like, rather than the old.

Gerv
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public


More information about the Public mailing list