[cabfpub] SHA1 Deprecation Ballot

Doug Beattie doug.beattie at globalsign.com
Thu Feb 20 18:54:42 UTC 2014


Ben,

 

While this may be obvious to most of us, we should explicitly state that all
CA certificates in the hierarchy up to, but not including the publicly
trusted root, must also not be SHA-1.

 

Doug

 

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: Wednesday, February 19, 2014 3:02 PM
To: public at cabforum.org
Subject: [cabfpub] SHA1 Deprecation Ballot

 

I'm not sure whether I've captured it all, but here is a rough draft of a
possible ballot for the Baseline Requirements. 

 

Effective immediately CAs SHOULD begin migrating away from using the SHA-1
hashing algorithm to sign SSL/TLS and code signing certificates.   

 

Beginning January 1, 2016, CAs SHALL NOT use the SHA-1 hashing algorithm to
sign SSL/TLS or code signing certificates.

 

Please provide your comments, edits, etc., 

 

Thanks,

 

Ben

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140220/a59e31ec/attachment-0003.html>


More information about the Public mailing list