[cabfpub] SHA-1 changes and certificate lifetimes

Brian Smith brian at briansmith.org
Thu Nov 14 22:38:01 UTC 2013

On Thu, Nov 14, 2013 at 2:33 PM, Tom Albertson <tomalb at microsoft.com> wrote:
> Remember that 39 months is the maximum - to the extent CABF maintains certificate lifetimes for code signing certs, issuance of SHA1 code signing certs will have to end by 1 Jan 2016, or just over 25 months.  39 month maximum SHA2 code signing certs should be no problem - for SHA1 code signing certs no more than 24 months should be the rule immediately, transitioning to perhaps a 12 month expiration as we approach 2016.  SHA1 code signing and SSL certs have different schedules - my best advice to CAs is to avoid strategies that leave you with lots of time valid sha1 certs come 2016 and 2017.

Tom, what do you think about the proposal I posted earlier in the
thread to enforce this in browsers? I copied it below. If we enforce
this maximum cert age then it will be easier for CAs to explain why
they have to limit the cert validity period. Also, we would avoid the
situation where the least cooperative CAs would have an advantage,
business-wise, over CAs that cap the notAfter date.


I propose that we require that all newly-issued SHA-1 certificates
must have a notAfter date of 2017-01-01 or earlier, and CAs should
work with customers to replace all existing SHA-1 certificates with a
notAfter date later than 2017-01-01 before 2016-07-01. And, let's
agree to enforce this in browsers by a check that rejects any SHA1
cert with notBefore >= 2014-03-01 and notAfter > 2017-01-01, for any
built-in CA, to be deployed before 2014-03-01. And, let's agree to
review this yearly and adjust accordingly.

This is the only realistic way that the 2017-01-01 cutoff date is
going to be met, AFAICT.

More information about the Public mailing list