[cabfpub] SHA1 Deprecation Ballot

Ben Wilson ben at digicert.com
Fri Feb 28 00:59:14 UTC 2014


Let's say we adopt this as a guideline.  Then, what if we want to fine-tune
it based on Microsoft's July 2015 review of progress made?  How can we amend
the guideline and put that amendment in place before January 1, 2016?
(Let's say that based on Microsoft's review, it appears that Application X
and its users need more time.  Won't a CA that is providing SSL services for
Application X say that six months is not enough time for the CAB Forum to
adopt an exception and for it to change its code and certificate issuance
processes to allow an exception for Application X and its users)?  In other
words, don't we need feedback from Microsoft prior to July 2015 in order to
put an amendment in place?   If we adopt this provision, won't we need to
revisit it in about 12 months? 

 

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Doug Beattie
Sent: Thursday, February 20, 2014 11:55 AM
To: ben at digicert.com; public at cabforum.org
Subject: Re: [cabfpub] SHA1 Deprecation Ballot

 

Ben,

 

While this may be obvious to most of us, we should explicitly state that all
CA certificates in the hierarchy up to, but not including the publicly
trusted root, must also not be SHA-1.

 

Doug

 

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: Wednesday, February 19, 2014 3:02 PM
To: public at cabforum.org
Subject: [cabfpub] SHA1 Deprecation Ballot

 

I'm not sure whether I've captured it all, but here is a rough draft of a
possible ballot for the Baseline Requirements. 

 

Effective immediately CAs SHOULD begin migrating away from using the SHA-1
hashing algorithm to sign SSL/TLS and code signing certificates.   

 

Beginning January 1, 2016, CAs SHALL NOT use the SHA-1 hashing algorithm to
sign SSL/TLS or code signing certificates.

 

Please provide your comments, edits, etc., 

 

Thanks,

 

Ben

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140227/87f1d626/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5453 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140227/87f1d626/attachment-0001.p7s>


More information about the Public mailing list