[cabfpub] SHA-1 changes and certificate lifetimes

Gervase Markham gerv at mozilla.org
Wed Nov 13 11:28:51 UTC 2013

On 13/11/13 10:46, Brian Smith wrote:
> I propose that we require all newly-issued SHA-1 certificates must
> have a notAfter date of 2017-01-01 or earlier, and CAs should work
> with customers to replace all existing SHA-1 certificates with a
> notAfter date later than 2017-01-01 before 2016-07-01. And, let's
> agree to enforce this in browsers by a check that rejects any SHA1
> cert with notBefore >= 2014-03-01 and notAfter > 2017-01-01, for any
> built-in CA, to be deployed before 2014-03-01. And, let's agree to
> review this yearly and adjust accordingly.
> This is the only realistic way that the 2017-01-01 cutoff date is
> going to be met.
> Note that I'm not proposing these changes as a substitute for what you
> are proposing. AFAICT, what you are proposing is more general, and my
> proposal is complementary to it.

Indeed. It seems that what you are saying here is: "The CAB Forum should
adopt, and ask browsers to enforce, Microsoft's SHA-1 deprecation
timeline." That is certainly an idea worth discussing, but it's
definitely a different idea to what I am proposing.


More information about the Public mailing list