[cabfpub] SHA-1 changes and certificate lifetimes

Geoff Keating geoffk at apple.com
Tue Nov 19 00:53:12 UTC 2013

On 16 Nov 2013, at 2:48 am, Steve Roylance <steve.roylance at globalsign.com> wrote:

> Mac OSX 1.5 was the first version to support SHA256, but what is the %age
> of previous versions still in use?  1%, 0.1%, 0.01% etc   In fact do you
> have something similar to this on Android adoption that all CAs can use to
> assure their subscribers that relying party issues will be minor?
> http://en.wikipedia.org/wiki/Android_version_history

Hi Steve,

This is a somewhat difficult question to answer.  It deals with events many years ago, for which relevant data is not readily accessible.  For example, I no longer have any systems which can run any version of Mac OS X 10.4.

For OS X market share numbers, I'd refer you to <http://netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0>.  You'll notice they don't even have a row for Mac OS X 10.3, although perhaps that's part of "no version reported" at 0.01%.  All systems that can run 10.3, and most that can run 10.4, are PowerPC, and so cannot run any recent version of OS X.

Based on the records I can find, I believe that SHA256 was implemented and available for use in certificates starting with Mac OS X 10.4 GM.  I could be wrong about this.

For a specific certificate chain, you would want to check that it actually works in these older OSs, SHA256 or not.  The last 10.4 security update (and so the last opportunity to update the trusted root list) was in 2009.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4103 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131118/a68deb72/attachment-0001.p7s>

More information about the Public mailing list