[cabfpub] Microsoft SHA-1 deprecation problem for Kernel Mode Code Signing

Kelvin Yiu kelviny at exchange.microsoft.com
Wed Apr 16 22:01:51 UTC 2014

Sorry, we cannot provide a date for the patch at this time. I will update the forum on its availability as soon as I can.


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of GlobalSign(Yasuyuki Inui)
Sent: Wednesday, April 16, 2014 1:43 PM
To: Public at cabforum.org
Subject: Re: [cabfpub] Microsoft SHA-1 deprecation problem for Kernel Mode Code Signing

Hi Tom-san

Can you give me the estimate for this patch if you pssible?


2014-04-10 22:06 GMT-04:00 Richard at WoSign <richard at wosign.com<mailto:richard at wosign.com>>:
Yes, our test is the Kernel mode don't support SHA2 cert.

Best Regards,


From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org<mailto:public-bounces at cabforum.org>] On Behalf Of GlobalSign(Yasuyuki Inui)
Sent: Friday, April 11, 2014 9:15 AM
To: Public at cabforum.org<mailto:Public at cabforum.org>
Subject: Re: [cabfpub] Microsoft SHA-1 deprecation problem for Kernel Mode Code Signing

Hi Tom-san

this patch (sha2 codesign for kernel mode on vista and win7) is already released?
our costumer seems encounter this problem but I am not sure exact reason.



On 13/11/2013 17:43, "Tom Albertson" <tomalb at microsoft.com<mailto:tomalb at microsoft.com>> wrote:

>Hi Rob,
>Yes, we are making changes to supported Windows versions to support SHA-2
>for kernel mode code signing.  The patch will come out publicly, and we
>will notify kernel mode CAs about the expected timeframe and overall kmod
>-----Original Message-----
>From: Rob Stradling [mailto:rob.stradling at comodo.com<mailto:rob.stradling at comodo.com>]
>Sent: Wednesday, November 13, 2013 4:18 AM
>To: Tom Albertson; Kelvin Yiu
>Cc: public at cabforum.org<mailto:public at cabforum.org>
>Subject: Microsoft SHA-1 deprecation problem for Kernel Mode Code Signing
>Tom, Kelvin,
>I know you're already aware that Windows Vista and Windows 7 are unable
>to use SHA-2 certificates for Kernel Mode Code Signing.
>Your SHA-1 deprecation advisory [1] says:
>"Recommendation: Microsoft recommends that certificate authorities no
>longer sign newly generated certificates using the SHA-1 hashing
>algorithm and begin migrating to SHA-2. Microsoft also recommends that
>customers replace their SHA-1 certificates with SHA-2 certificates at the
>earliest opportunity."
>I understand this to mean that, ideally, you'd like us to switch from
>SHA-1 to SHA-2 _today_, for the issuance of new SSL certificates and Code
>Signing Certificates.
>Does this mean that you've managed to hotfix all deployed Vista/7 boxes
>on the planet, so that SHA-2 certificates can now be used for Kernel Mode
>Code Signing?
>If not, how do you intend to address this issue?
>(I presume you're not phasing out Windows 7 at the same time as phasing
>out SHA-1!!)
>[1] https://technet.microsoft.com/en-us/security/advisory/2880823
>Rob Stradling
>Senior Research & Development Scientist
>COMODO - Creating Trust Online
>Public mailing list
>Public at cabforum.org<mailto:Public at cabforum.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140416/3ff3c6fe/attachment-0003.html>

More information about the Public mailing list