[cabfpub] Ballot 118 - SHA1 Sunset

[Gervase Markham]

On 02/10/14 20:55, Ben Wilson wrote:
> _Effective 1 January 2016, CAs MUST NOT issue any new Subscriber
> certificates or Subordinate CA certificates using the SHA-1 hash
> algorithm. 

It is worth noting the ramifications of this.

If we assume that any site can present at most one certificate, and
furthermore that every site needs to work in very modern browsers which
are implementing SHA-1-deprecating UI such as recent Chrome or recent
IE, then the CAB Forum making a requirement is basically the same thing
as the browsers making a requirement.

However, if someone were to add a feature to a webserver where it could
send different certs to different clients based on SSL handshake
fingerprinting, then (without a CAB Forum ballot) they could continue to
use SHA-1 certs for older browsers and use SHA-256 for newer ones. But
if we pass this ballot, we preclude that possibility.

The situation which makes me think of this is as follows. Firefox has a
download site, served over HTTPS. We have many people who want to
download Firefox to get a supported and secure browser, who are on XP
SP2 or below. If we switch the cert for that site completely to SHA-256,
they are caught in a chicken and egg situation - they can't get a
SHA-256-supporting browser until they get a SHA-256-supporting browser!

The only other possibility is to make the initial load of the download
page over HTTP, then redirect to two different sites based on a
JavaScript test of the OS version. But clearly, we would much prefer
end-to-end SSL for the entire experience. (Also, there are lots of
direct-to-HTTPS download links out there already.)

One way we could solve this problem by making our webservers do SSL
handshake sniffing, and serve different certs to different clients. But
if the CAB Forum passes this ballot, we would have trouble getting a
SHA-1 cert to serve to the legacy clients.

Gerv