[cabfpub] Microsoft SHA-1 deprecation problem for Kernel Mode Code Signing
Rob Stradling
rob.stradling at comodo.com
Wed Nov 13 12:18:17 UTC 2013
Tom, Kelvin,
I know you're already aware that Windows Vista and Windows 7 are unable
to use SHA-2 certificates for Kernel Mode Code Signing.
Your SHA-1 deprecation advisory [1] says:
"Recommendation: Microsoft recommends that certificate authorities no
longer sign newly generated certificates using the SHA-1 hashing
algorithm and begin migrating to SHA-2. Microsoft also recommends that
customers replace their SHA-1 certificates with SHA-2 certificates at
the earliest opportunity."
I understand this to mean that, ideally, you'd like us to switch from
SHA-1 to SHA-2 _today_, for the issuance of new SSL certificates and
Code Signing Certificates.
Does this mean that you've managed to hotfix all deployed Vista/7 boxes
on the planet, so that SHA-2 certificates can now be used for Kernel
Mode Code Signing?
If not, how do you intend to address this issue?
(I presume you're not phasing out Windows 7 at the same time as phasing
out SHA-1!!)
[1] https://technet.microsoft.com/en-us/security/advisory/2880823
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list