[cabfpub] Guidance on Microsoft SHA1 Deprecation Policy

Doug Beattie doug.beattie at globalsign.com
Wed Jan 22 23:29:51 UTC 2014

Thanks Tom.


I'm sorry to keep asking follow up questions, but I assume this applies to
Roots that are not distributed within the MS program as well.  Just wanted
to confirm that private root customers (including large government PKIs)
also need to comply, not just the public CAs and their publicly trusted




From: Tom Albertson [mailto:tomalb at microsoft.com] 
Sent: Wednesday, January 22, 2014 5:29 PM
To: Doug Beattie; CABFPub
Subject: RE: [cabfpub] Guidance on Microsoft SHA1 Deprecation Policy


Hi Doug,


The SHA1 deprecation policy states that Windows Vista and later will stop
accepting SHA1 end-entity certificates by the deadlines given.  This will
apply to all certificates issued under the root hierarchy including SSL,
secure email, client authentication, and code signing.  We expect all
certificate types excluding code signing and time stamping to follow the SSL
deprecation schedule.



From: public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>
[mailto:public-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: Wednesday, January 22, 2014 8:42 AM
Subject: [cabfpub] Guidance on Microsoft SHA1 Deprecation Policy


The Microsoft policy is located here, as I'm sure you all know:



The policy clearly states the scope of this policy is for SSL and Code
Signing, but I wanted to validate that this is in-fact the entire set of
users which will be impacted in 2017.


While not clear in the blog, in side discussions it became evident that that
all CAs in the hierarchy of an SSL or Code Signing certificate (except the
root) must also be SHA2.  This makes sense even if not explicitly stated (it
should be stated at some point).  This means legacy SHA1 Intermediates
cannot be used to sign subordinate SHA2 CAs and be trusted in 2017 for SSL
and Code Signing certificates.  


I wanted for inquire about personal certificates used for secure mail,
client authentication to web sites (including Microsoft web servers),
document signing (outside of Adobe), file encryption, etc.  Will SHA1
certificates and CA hierarchies continue to be trusted by Microsoft within
these applications, or is Microsoft rolling out new validation logic
globally for all certificates?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140122/db5607b5/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4287 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140122/db5607b5/attachment-0001.p7s>

More information about the Public mailing list