[cabfpub] Request for six month delay on new Google SHA-1 deprecation policy

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Thu Aug 28 16:45:46 MST 2014

[Reposting from Google SHA-1 list]

-----Original Message-----
From: Kirk Hall (RD-US)
Sent: Thursday, August 28, 2014 4:45 PM
To: 'Chris Palmer'
Cc: rsleevi at chromium.org; security-dev; blink-dev; steve.medin at gmail.com; net-dev
Subject: RE: Intent to Deprecate: SHA-1 certificates

But Chris -- you are using a blunderbuss when you could use a high accuracy rifle (or better).

This policy is making compliant companies like Trend Micro contact all their customers now and make them replace all their SHA-1 certs (certs that all expire in 2014, 2015, and 2016) now -- when there is no need for that.  Some customers have thousands of certs from many dozens of domains -- domestic and international.  Why do we and our customers have to do this?

A six-month delay would still effectively eliminate all SHA-1 certs by the end of 2015 -- the same as Google's current deadline -- so you reach the same result.  So why not give website owners and CAs some extra time to respond to this surprise policy?  And get them past the holiday retail season website lockdown?

-----Original Message-----

From: Chris Palmer [mailto:palmer at google.com]

Sent: Thursday, August 28, 2014 4:39 PM

To: Kirk Hall (RD-US)

Cc: rsleevi at chromium.org; security-dev; blink-dev; steve.medin at gmail.com; net-dev

Subject: Re: Intent to Deprecate: SHA-1 certificates

On Thu, Aug 28, 2014 at 4:29 PM, kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com> <kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>> wrote:

> As I mentioned before, our company already restricted our offerings so no customer can get a SHA-1 certificate expiring after 2016, so we are already in compliance.

Great! Thank you.

> Why are you effectively pushing back the SHA-1 deprecation deadline by two years on such short notice?

SHA-1 is now, and has been for some time, deprecated. The deadline is for when SHA-1 will be not just deprecated but *outright disabled*.

So, we are surfacing the deprecation *now*, so that all CAs will do as Trend Micro has done, and won't suddenly be caught off-guard when

SHA-1 is indeed turned off as scheduled.

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140828/c58fd83b/attachment.html 

More information about the Public mailing list