[cabfpub] SHA1 Deprecation Ballot

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Sun Mar 9 14:19:49 MST 2014


On 03/09/2014 09:19 AM, From Ben Wilson:
>
> I’ve proposed language to replace the current footnote concerning SHA1 
> in Appendix A, feel free to edit:
>
> *   "Effective immediately CAs SHOULD begin migrating away from using 
> the SHA-1 hashing algorithm to sign Subscriber Certificates.  CAs 
> SHOULD advise Applicants that Microsoft has indicated that Windows 
> will stop accepting SHA1 certificates on 1 January 2017 or sooner if 
> the algorithm becomes vulnerable to cryptographic attack."  
> Alternatively, it could  be re-phrased to say, “CAs may want to advise 
> Applicants that …”, but this draft has “SHOULD”.
>


In my opinion this is too vague - as long as CAs will issue SHA1 certs 
(and there is still a very high demand for it) others are forced to do 
the same. I suggest that there should be a fixed date(s) that defines 
when a certificate can't be issued anymore with a SHA1 hash.

In the end those that chose to refuse SHA1 certs will lose again when in 
2017 there are still X% of SHA1 certs out there and because of that the 
sunset date will be extended. We've seen it already multiple times and 
as long there is no set date it will not happen and all the rest above 
not relevant at all. Even when they'll become prohibited there will be 
CAs that will issue them (we've seen that too)...


Regards
Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140309/24c640f7/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
Url : https://cabforum.org/pipermail/public/attachments/20140309/24c640f7/attachment.bin 


More information about the Public mailing list