[cabfpub] Request for six month delay on new Google SHA-1 deprecation policy

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Thu Aug 28 16:16:03 MST 2014

[Reposting from Google's SHA-1 list]

From: security-dev at chromium.org [mailto:security-dev at chromium.org] On Behalf Of Kirk Hall
Sent: Thursday, August 28, 2014 4:15 PM
To: security-dev at chromium.org
Cc: Kirk Hall (RD-US); rsleevi at chromium.org; blink-dev at chromium.org; steve.medin at gmail.com; net-dev at chromium.org; rsleevi at chromium.org
Subject: Re: Intent to Deprecate: SHA-1 certificates

Ryan -- seriously -- if you can point us to where, in the strings you referenced, that Google's new policy was first disclosed to CAs, and if it was about six months ago, you will receive a full and abject public apology from me, and no further complaints about the new policy.

So please resolve this once and for all -- where and when exactly do you believe that Google first disclosed this new policy?

On Thursday, August 28, 2014 3:40:13 PM UTC-7, Ryan Sleevi wrote:
Hi Kirk,

I can't help but feel you're intentionally being misleading. I would encourage you to read it again and confer with your colleagues.

It was clear enough, and long enough, a discussion that  Bob (on behalf of Mozilla) was able to state it simply and succinctly in the text I conveniently highlighted for you in that thread. I'm not sure how there can be any ambiguity on that, and it's the exact same policy now being proposed here.

All the best,

On Thu, Aug 28, 2014 at 3:36 PM, Kirk Hall <kirk... at trendmicro.com<javascript:>> wrote:
Sorry, Ryan -- I don't see Google's new policy in any of those threads.  Can you point it out?

On Thursday, August 28, 2014 3:30:23 PM UTC-7, Ryan Sleevi wrote:

On Thu, Aug 28, 2014 at 3:18 PM, kirk... at trendmicro.com<mailto:kirk... at trendmicro.com> <kirk... at trendmicro.com<mailto:kirk... at trendmicro.com>> wrote:
Ryan - you keep saying Google told all CAs about this policy six months ago.  What are you referring to?  The CA/Browser Forum meeting in February?  You made no mention of this policy at that time.  See again the meeting minutes below from February 19, 2014.

Hi Kirk,

I fear you may have missed the messages on this thread where I've identified that for you particularly, and for others.

For your reference, I direct you to https://groups.google.com/a/chromium.org/d/msg/security-dev/2-R4XziFc7A/OAvNrBvhD5QJ

I note that I have already provided this link to you before, as shown on https://cabforum.org/pipermail/public/2014-August/003742.html

Hopefully you can take the opportunity to read it.

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140828/3ac7106d/attachment.html 

More information about the Public mailing list