[cabfpub] SHA1 Deprecation Ballot

Jeremy Rowley jeremy.rowley at digicert.com
Thu Mar 13 15:26:58 UTC 2014

Plus, the proposed requirement only requires that  a CA provide its auditor
with documentation about its belief that SHA1 is still required.  Depending
on the auditor, a CAs could simply document everything as an economic outlay
and then issue SHA1 without any actual restrictions. 


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rob Stradling
Sent: Thursday, March 13, 2014 8:04 AM
To: Gervase Markham; ben at digicert.com; 'Ryan Sleevi'; 'Eddy Nigg (StartCom
Cc: 'CABFPub'
Subject: Re: [cabfpub] SHA1 Deprecation Ballot

On 13/03/14 13:38, Gervase Markham wrote:
> On 13/03/14 12:38, Rob Stradling wrote:
>>> (d) is difficult to patch or replace without substantial economic
>> As written, I think that if these proposed legacy exceptions apply 
>> anywhere, then they apply pretty much everywhere.
>> XP SP2 meets (a), (b) and (d) (where "substantial" means whatever the 
>> reader wants it to mean).
> It doesn't meet d); you can install SP3 without substantial economic 
> outlay.

If you're running a licensed copy of XP SP2, then yes.

If you're running an unlicensed copy of XP SP2, then no.  SP3 was when
Windows Genuine Advantage first appeared, IINM, so you would struggle to
upgrade to SP3 without "substantial economic outlay".  And where would you
purchase an XP licence from these days anyway?

AIUI, there are _a lot_ of users running XP SP2 for this reason.  Yes, it's
illegal and we obviously do not condone it, but (as far as this proposed
ballot is concerned) I would say that these users are still "Relying
Parties" and what they are using is still "software".

> (I assume that Microsoft de-supporting XP doesn't mean that they are 
> pulling down all the downloads relating to it.)

I'm not sure that that's a safe assumption.

"An unsupported version of Windows will no longer receive software updates
from Windows Update."

Perhaps somebody from Microsoft could clarify?

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

Public mailing list
Public at cabforum.org

More information about the Public mailing list