[cabfpub] SHA-1 changes and certificate lifetimes

Katsuo Chujo katsuo.chujo at globalsign.com
Fri Nov 15 10:41:27 UTC 2013

Hi Brian,

I agree with your proposal representing GlobalSign.
That is the way that CAs can formally and cooperatively promote the best
practice in the market.

BTW, I am Katsuo Chujo, representing SSL product in GlobalSign. Nice to
e-meet you all:-)


Katsuo Chujo

On 2013/11/15 7:38, "Brian Smith" <brian at briansmith.org> wrote:

>On Thu, Nov 14, 2013 at 2:33 PM, Tom Albertson <tomalb at microsoft.com>
>> Remember that 39 months is the maximum - to the extent CABF maintains
>>certificate lifetimes for code signing certs, issuance of SHA1 code
>>signing certs will have to end by 1 Jan 2016, or just over 25 months.
>>39 month maximum SHA2 code signing certs should be no problem - for SHA1
>>code signing certs no more than 24 months should be the rule
>>immediately, transitioning to perhaps a 12 month expiration as we
>>approach 2016.  SHA1 code signing and SSL certs have different schedules
>>- my best advice to CAs is to avoid strategies that leave you with lots
>>of time valid sha1 certs come 2016 and 2017.
>Tom, what do you think about the proposal I posted earlier in the
>thread to enforce this in browsers? I copied it below. If we enforce
>this maximum cert age then it will be easier for CAs to explain why
>they have to limit the cert validity period. Also, we would avoid the
>situation where the least cooperative CAs would have an advantage,
>business-wise, over CAs that cap the notAfter date.
>I propose that we require that all newly-issued SHA-1 certificates
>must have a notAfter date of 2017-01-01 or earlier, and CAs should
>work with customers to replace all existing SHA-1 certificates with a
>notAfter date later than 2017-01-01 before 2016-07-01. And, let's
>agree to enforce this in browsers by a check that rejects any SHA1
>cert with notBefore >= 2014-03-01 and notAfter > 2017-01-01, for any
>built-in CA, to be deployed before 2014-03-01. And, let's agree to
>review this yearly and adjust accordingly.
>This is the only realistic way that the 2017-01-01 cutoff date is
>going to be met, AFAICT.
>Public mailing list
>Public at cabforum.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5169 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131115/4fd1aa2f/attachment-0001.p7s>

More information about the Public mailing list