[cabfpub] [cabfquest] FW: SHA1 Deprecation Ballot

Ryan Sleevi sleevi at google.com
Thu Feb 20 16:30:24 UTC 2014


Hi Bruce,

I just wanted to echo Ben's sentiment and our support for the deprecation
of SHA-1. Although Microsoft has lead the way, we actively consider these
dates "Good dates". The only thing that can or should change such a
timeline would be some degree of unforeseen exigent circumstance, and this
is highly unlikely.

I believe the only way the Forum will make meaningful progress on this is
by incorporating these dates into the Forum's Guidelines - and, as I
discussed yesterday, by ratcheting up the UI in Browsers to indicate the
decreasing trust and faith in SHA-1.

However, we need to make progress by the dates set forth. It's unfortunate
that we cannot set the dates more aggressively, but we must not find
ourselves in another MD5, where CAs were continuing to issue years after it
was known to be broken.

So consider this (and related efforts) as having our full support.


On Thu, Feb 20, 2014 at 6:37 AM, Bruce Morton <bruce.morton at entrust.com>wrote:

>  I’m concerned with this ballot.
>
>
>
> Microsoft has stated a policy, but have also stated that they may change
> the policy in 2015. Nevertheless, all CAs must comply with Microsoft’s
> policy as it evolves.
>
>
>
> If a change is made to the Baseline Requirements, then the CAB Forum
> should consider that they will change the policy if Microsoft does.
>
>
>
> If the CAB Forum wants to manage this policy themselves, then there should
> be work done to get data to justify the policy. When should we protect
> against collision? When should we protect against Preimage and
> Second-Preimage? When will SHA2 be sufficiently supported? If the CAB Forum
> is not doing work to get this data, then how do you justify the policy?
>
>
>
> If Microsoft is doing the work to create the plan for SHA1 deprecation,
> then I think that the CAs should just follow their lead. When the plan is
> finalized, then it should be incorporated into the BRs.
>
>
>
> Bruce.
>
>
>
> *From:* public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] *On
> Behalf Of *Ben Wilson
> *Sent:* Wednesday, February 19, 2014 3:02 PM
> *To:* public at cabforum.org
> *Subject:* [cabfpub] SHA1 Deprecation Ballot
>
>
>
> I’m not sure whether I’ve captured it all, but here is a rough draft of a
> possible ballot for the Baseline Requirements.
>
>
>
> Effective immediately CAs SHOULD begin migrating away from using the SHA-1
> hashing algorithm to sign SSL/TLS and code signing certificates.
>
>
>
> Beginning January 1, 2016, CAs SHALL NOT use the SHA-1 hashing algorithm
> to sign SSL/TLS or code signing certificates.
>
>
>
> Please provide your comments, edits, etc.,
>
>
>
> Thanks,
>
>
>
> Ben
>
> _______________________________________________
> Questions mailing list
> Questions at cabforum.org
> https://cabforum.org/mailman/listinfo/questions
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140220/6343c7c7/attachment-0003.html>


More information about the Public mailing list