[cabfpub] New Google policy on SHA-1 deprecation next 6-112 weeks

Ryan Sleevi sleevi at google.com
Fri Aug 22 10:13:03 MST 2014


Happy to respond in the forum where this was posted, to avoid fragmenting
discussions.

Which is to say, we won't be discussing this policy here, beyond the
announcement. We welcome and encourage all public participation in the
discussion.
On Aug 22, 2014 10:03 AM, "Tim Shirley" <TShirley at trustwave.com> wrote:

>  Can we clarify if the date checks apply only to the end-entity
> certificates?  Or do they also apply to the intermediates?  If the latter,
> that would require new SHA-1 intermediates to be issued with 2015-12-31
> expiration dates in order to offer option #1 to customers.
>
>
>
>
>
> *From:* public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] *On
> Behalf Of *kirk_hall at trendmicro.com
> *Sent:* Friday, August 22, 2014 12:15 PM
> *To:* CABFPub (public at cabforum.org)
> *Subject:* [cabfpub] New Google policy on SHA-1 deprecation next 6-112
> weeks
>
>
>
> For those CA/Browser Forum members who were not on the Forum conference
> call yesterday, I wanted to forward information that Google disclosed
> during the call that will affect all CAs.
>
>
>
> Google has announced a policy to deprecate many SHA-1 certificates and
> some SHA-256 certificated currently in use *in the next 6-12 weeks* (upon
> the release of Chrome version 39):
>
>
>
>
> https://groups.google.com/a/chromium.org/d/msg/security-dev/2-R4XziFc7A/NDI8cOwMGRQJ
>
>
>
> Here is how we understand this.
>
>
>
> Starting with Chrome 39, in about 12 weeks (mid-November), when Chrome
> encounters an SSL certificate that is SHA-1, or a SHA-256 certificate with
> a SHA-1 intermediate in the chain, the user will see a deprecated security
> UI.  Specifically:
>
>
>
> ·         If the SSL cert expires after 1/1/2016 but before 2017, then
> the user will see a padlock with a red line though it (and no green bar for
> EV certificates) and the page will be served up as normal with no user
> action.
>
> ·         If the SSL certificate expires after 1/1/2017, then the user
> will see the padlock with a red line through it, AND the page will be
> treated as mixed content and the user will need to perform an action to
> proceed.
>
> ·         Again, this will affect all SHA-1 certificates and all SHA-256
> certificates issued from a SHA-1 intermediate certificate, no matter when
> such certificates were issued or deployed.
>
> ·         Per Google, SHA-1 roots can still be used, but all certificates
> in the chain must be SHA-256 to avoid the negative UI.
>
>
>
> Google has told CAs that their affected customers have two choices over
> the next 6-12 weeks to avoid the negative UIs for their websites.
>
>
>
> ·         Customers can replace their SHA-1 certs that expire in 2016 or
> 2017 with new SHA-1 certs that expire no later than 12/31/2015 (same for
> new  SHA-256 certs issued from a SHA-1 intermediate), and they will get the
> regular UI trust symbols in Chrome, or
>
> ·         Customers can replace their SHA-1 certs (or SHA-256 certs
> issued from a SHA-1 intermediate) with SHA-256 certs issued from SHA-256
> intermediates, which can expire in 2016 or 2017 and will receive the
> regular UI trust symbols in Chrome.
>
>
>
> *Kirk R. Hall*
>
> Operations Director, Trust Services
>
> Trend Micro
>
> +1.503.753.3088
>
>
>
>
>
> TREND MICRO EMAIL NOTICE
>
> The information contained in this email and any attachments is confidential
>
> and may be subject to copyright or other intellectual property protection.
>
> If you are not the intended recipient, you are not authorized to use or
>
> disclose this information, and we request that you notify us by reply mail or
>
> telephone and delete the original message from your mail system.
>
>
>
> ------------------------------
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is strictly prohibited. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140822/807687bd/attachment-0001.html 


More information about the Public mailing list