[cabfpub] SHA1 Deprecation Ballot

Ryan Sleevi sleevi at google.com
Thu Feb 20 19:35:49 UTC 2014


Correct - we should ensure that Appendix A (which is normative) is
appropriately updated to reflect the timelines.

Doug, do you think this provides sufficient clarification regarding the
applicability to the entire hierarchy?


On Thu, Feb 20, 2014 at 10:54 AM, Doug Beattie
<doug.beattie at globalsign.com>wrote:

> Ben,
>
>
>
> While this may be obvious to most of us, we should explicitly state that
> all CA certificates in the hierarchy up to, but not including the publicly
> trusted root, must also not be SHA-1.
>
>
>
> Doug
>
>
>
>
>
> *From:* public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] *On
> Behalf Of *Ben Wilson
> *Sent:* Wednesday, February 19, 2014 3:02 PM
> *To:* public at cabforum.org
> *Subject:* [cabfpub] SHA1 Deprecation Ballot
>
>
>
> I’m not sure whether I’ve captured it all, but here is a rough draft of a
> possible ballot for the Baseline Requirements.
>
>
>
> Effective immediately CAs SHOULD begin migrating away from using the SHA-1
> hashing algorithm to sign SSL/TLS and code signing certificates.
>
>
>
> Beginning January 1, 2016, CAs SHALL NOT use the SHA-1 hashing algorithm
> to sign SSL/TLS or code signing certificates.
>
>
>
> Please provide your comments, edits, etc.,
>
>
>
> Thanks,
>
>
>
> Ben
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140220/149e95b2/attachment-0003.html>


More information about the Public mailing list