[cabfpub] Microsoft SHA-1 deprecation problem for Kernel Mode Code Signing

Tom Albertson tomalb at microsoft.com
Wed Nov 13 17:43:06 UTC 2013

Hi Rob,

Yes, we are making changes to supported Windows versions to support SHA-2 for kernel mode code signing.  The patch will come out publicly, and we will notify kernel mode CAs about the expected timeframe and overall kmod strategy.


-----Original Message-----
From: Rob Stradling [mailto:rob.stradling at comodo.com] 
Sent: Wednesday, November 13, 2013 4:18 AM
To: Tom Albertson; Kelvin Yiu
Cc: public at cabforum.org
Subject: Microsoft SHA-1 deprecation problem for Kernel Mode Code Signing

Tom, Kelvin,

I know you're already aware that Windows Vista and Windows 7 are unable to use SHA-2 certificates for Kernel Mode Code Signing.

Your SHA-1 deprecation advisory [1] says:
"Recommendation: Microsoft recommends that certificate authorities no longer sign newly generated certificates using the SHA-1 hashing algorithm and begin migrating to SHA-2. Microsoft also recommends that customers replace their SHA-1 certificates with SHA-2 certificates at the earliest opportunity."

I understand this to mean that, ideally, you'd like us to switch from
SHA-1 to SHA-2 _today_, for the issuance of new SSL certificates and Code Signing Certificates.

Does this mean that you've managed to hotfix all deployed Vista/7 boxes on the planet, so that SHA-2 certificates can now be used for Kernel Mode Code Signing?

If not, how do you intend to address this issue?

(I presume you're not phasing out Windows 7 at the same time as phasing out SHA-1!!)

[1] https://technet.microsoft.com/en-us/security/advisory/2880823

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list