[cabfpub] SHA1 Deprecation Ballot

Doug Beattie doug.beattie at globalsign.com
Thu Feb 20 21:15:03 UTC 2014



Yes, Appendix A needs to be updated, perhaps with a 3rd column, to specify a new set of dates and a new set  associated minimum security parameters.  The Root and SubCA sections also need to be updated to clearly state that on a certain date the CAs that are within the cert chain must meet certain requirements (which are not related to when the CA was created).  If there is any uncertainty about how cross certificates need to be formatted, that also needs to be specified.


Sounds like someone’s got a tasker, I’ll take a shot at it.





From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Thursday, February 20, 2014 2:36 PM
To: Doug Beattie
Cc: Ben Wilson; CABFPub
Subject: Re: [cabfpub] SHA1 Deprecation Ballot


Correct - we should ensure that Appendix A (which is normative) is appropriately updated to reflect the timelines.


Doug, do you think this provides sufficient clarification regarding the applicability to the entire hierarchy?


On Thu, Feb 20, 2014 at 10:54 AM, Doug Beattie <doug.beattie at globalsign.com <mailto:doug.beattie at globalsign.com> > wrote:



While this may be obvious to most of us, we should explicitly state that all CA certificates in the hierarchy up to, but not including the publicly trusted root, must also not be SHA-1.





From: public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>  [mailto:public-bounces at cabforum.org <mailto:public-bounces at cabforum.org> ] On Behalf Of Ben Wilson
Sent: Wednesday, February 19, 2014 3:02 PM
To: public at cabforum.org <mailto:public at cabforum.org> 
Subject: [cabfpub] SHA1 Deprecation Ballot


I’m not sure whether I’ve captured it all, but here is a rough draft of a possible ballot for the Baseline Requirements. 


Effective immediately CAs SHOULD begin migrating away from using the SHA-1 hashing algorithm to sign SSL/TLS and code signing certificates.   


Beginning January 1, 2016, CAs SHALL NOT use the SHA-1 hashing algorithm to sign SSL/TLS or code signing certificates.


Please provide your comments, edits, etc., 





Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140220/4ab25026/attachment-0003.html>

More information about the Public mailing list