[cabfpub] SHA1 Deprecation Ballot

Erwann Abalea erwann.abalea at keynectis.com
Thu Feb 20 10:33:34 UTC 2014


Since this is driven by evolution of Microsoft Root CP tech 
requirements, lets start from it. [*]

Here's my understanding.

If the certificate is a TLS one, it won't be valid after 01.01.2017.

If the certificate is a Code Signing one, and the code it signs has been 
timestamped before 01.01.2016, such code will be accepted until MS 
decides that SHA1 is vulnerable enough to a second preimage attack. (I 
added the "second" because that's the real attack, obviously, if you can 
do a preimage, a second preimage is easy)
If the certificate is a Code Signing one, and the code it signs is not 
timestamped or is timestamped after 01.01.2016, this code won't be 
considered valid after 01.01.2016.


[*] 
http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspx

-- 
Erwann ABALEA

Le 19/02/2014 21:06, i-barreira at izenpe.net a écrit :
>
> Would that mean that someone can issue a 3 years SHA1 certificate on 
> 31.12.2015 and would be valid until 31.12.2018?
>
> *Iñigo Barreira*
> Responsable del Área técnica
> i-barreira at izenpe.net <mailto:i-barreira at izenpe.net>
>
> 945067705
>
> Descripción: cid:image001.png at 01CE3152.B4804EB0
>
> ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta 
> egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada 
> (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, 
> korreo honi erantzuna. KONTUZ!
> ATENCION! Este mensaje contiene informacion privilegiada o 
> confidencial a la que solo tiene derecho a acceder el destinatario. Si 
> usted lo recibe por error le agradeceriamos que no hiciera uso de la 
> informacion y que se pusiese en contacto con el remitente.
>
> *De:*public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] 
> *En nombre de *Ben Wilson
> *Enviado el:* miércoles, 19 de febrero de 2014 21:02
> *Para:* public at cabforum.org
> *Asunto:* [cabfpub] SHA1 Deprecation Ballot
>
> I'm not sure whether I've captured it all, but here is a rough draft 
> of a possible ballot for the Baseline Requirements.
>
> Effective immediately CAs SHOULD begin migrating away from using the 
> SHA-1 hashing algorithm to sign SSL/TLS and code signing certificates.
>
> Beginning January 1, 2016, CAs SHALL NOT use the SHA-1 hashing 
> algorithm to sign SSL/TLS or code signing certificates.
>
> Please provide your comments, edits, etc.,
>
> Thanks,
>
> Ben
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140220/f247b951/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 19121 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140220/f247b951/attachment-0003.png>


More information about the Public mailing list