[cabfpub] Microsoft SHA-1 deprecation problem for Kernel Mode Code Signing

Richard@WoSign richard at wosign.com
Fri Apr 11 02:06:36 UTC 2014

Yes, our test is the Kernel mode don’t support SHA2 cert.



Best Regards,




From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of GlobalSign(Yasuyuki Inui)
Sent: Friday, April 11, 2014 9:15 AM
To: Public at cabforum.org
Subject: Re: [cabfpub] Microsoft SHA-1 deprecation problem for Kernel Mode Code Signing


Hi Tom-san


this patch (sha2 codesign for kernel mode on vista and win7) is already released?

our costumer seems encounter this problem but I am not sure exact reason.








On 13/11/2013 17:43, "Tom Albertson" <tomalb at microsoft.com> wrote:

>Hi Rob,
>Yes, we are making changes to supported Windows versions to support SHA-2
>for kernel mode code signing.  The patch will come out publicly, and we
>will notify kernel mode CAs about the expected timeframe and overall kmod
>-----Original Message-----
>From: Rob Stradling [mailto:rob.stradling at comodo.com]
>Sent: Wednesday, November 13, 2013 4:18 AM
>To: Tom Albertson; Kelvin Yiu
>Cc: public at cabforum.org
>Subject: Microsoft SHA-1 deprecation problem for Kernel Mode Code Signing
>Tom, Kelvin,
>I know you're already aware that Windows Vista and Windows 7 are unable
>to use SHA-2 certificates for Kernel Mode Code Signing.
>Your SHA-1 deprecation advisory [1] says:
>"Recommendation: Microsoft recommends that certificate authorities no
>longer sign newly generated certificates using the SHA-1 hashing
>algorithm and begin migrating to SHA-2. Microsoft also recommends that
>customers replace their SHA-1 certificates with SHA-2 certificates at the
>earliest opportunity."
>I understand this to mean that, ideally, you'd like us to switch from
>SHA-1 to SHA-2 _today_, for the issuance of new SSL certificates and Code
>Signing Certificates.
>Does this mean that you've managed to hotfix all deployed Vista/7 boxes
>on the planet, so that SHA-2 certificates can now be used for Kernel Mode
>Code Signing?
>If not, how do you intend to address this issue?
>(I presume you're not phasing out Windows 7 at the same time as phasing
>out SHA-1!!)
>[1] https://technet.microsoft.com/en-us/security/advisory/2880823
>Rob Stradling
>Senior Research & Development Scientist
>COMODO - Creating Trust Online
>Public mailing list
>Public at cabforum.org



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140411/c7fb675e/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6152 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140411/c7fb675e/attachment-0001.p7s>

More information about the Public mailing list