[cabfpub] [cabfquest] FW: SHA1 Deprecation Ballot

Ben Wilson ben at digicert.com
Thu Feb 20 17:50:51 UTC 2014


By taking no action to support something other than SHA1.  In truth, I don't know whether that is true, so I guess we'd better check which CAs are still using MD5, SHA1, and nothing else. 

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Rob Stradling
Sent: Thursday, February 20, 2014 10:33 AM
To: Ben Wilson; Bruce Morton; public at cabforum.org
Subject: Re: [cabfpub] [cabfquest] FW: SHA1 Deprecation Ballot

Ben, I'm puzzled about what you meant by "For now, I believe most CAs are already in compliance."

How can a CA be non-compliant this side of July 2015?

On 20/02/14 15:41, Ben Wilson wrote:
> The problem is that we need more certainty for planning purposes and 
> to be able to make meaningful progress in order to accomplish what 
> Microsoft is recommending for us to do.  This is merely ratifying what 
> we all know is the de facto policy due to Microsoft's position, which 
> they have indicated will not change.  We can tweak this plan later in 
> July 2015 if  Microsoft tweaks its policy, and between now and then 
> we'll have the opportunity to collect data.  For now, I believe most 
> CAs are already in compliance.
> ----------------------------------------------------------------------
> --
> From: Bruce Morton <mailto:bruce.morton at entrust.com>
> Sent: ‎2/‎20/‎2014 6:38 AM
> To: questions at cabforum.org <mailto:questions at cabforum.org>
> Subject: [cabfquest] FW: [cabfpub] SHA1 Deprecation Ballot
>
> I’m concerned with this ballot.
>
> Microsoft has stated a policy, but have also stated that they may 
> change the policy in 2015. Nevertheless, all CAs must comply with 
> Microsoft’s policy as it evolves.
>
> If a change is made to the Baseline Requirements, then the CAB Forum 
> should consider that they will change the policy if Microsoft does.
>
> If the CAB Forum wants to manage this policy themselves, then there 
> should be work done to get data to justify the policy. When should we 
> protect against collision? When should we protect against Preimage and 
> Second-Preimage? When will SHA2 be sufficiently supported? If the CAB 
> Forum is not doing work to get this data, then how do you justify the 
> policy?
>
> If Microsoft is doing the work to create the plan for SHA1 
> deprecation, then I think that the CAs should just follow their lead. 
> When the plan is finalized, then it should be incorporated into the BRs.
>
> Bruce.
>
> *From:*public-bounces at cabforum.org 
> [mailto:public-bounces at cabforum.org]
> *On Behalf Of *Ben Wilson
> *Sent:* Wednesday, February 19, 2014 3:02 PM
> *To:* public at cabforum.org
> *Subject:* [cabfpub] SHA1 Deprecation Ballot
>
> I’m not sure whether I’ve captured it all, but here is a rough draft 
> of a possible ballot for the Baseline Requirements.
>
> Effective immediately CAs SHOULD begin migrating away from using the
> SHA-1 hashing algorithm to sign SSL/TLS and code signing certificates.
>
> Beginning January 1, 2016, CAs SHALL NOT use the SHA-1 hashing 
> algorithm to sign SSL/TLS or code signing certificates.
>
> Please provide your comments, edits, etc.,
>
> Thanks,
>
> Ben
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690 Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.  If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by COMODO for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software.
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5453 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140220/e3e6578f/attachment-0001.p7s>


More information about the Public mailing list