[cabfpub] Ballot 118 - SHA1 Sunset
陳立群
realsky at cht.com.tw
Thu Oct 30 18:32:44 MST 2014
I agree with Ben’s processing that only the notes appeared at the end of
the tables about Bug 11.
Sincerely Yours,
Li-Chun CHEN
Engineer
CISSP, CISA, CISM, PMP,
Government Network Service Dept.
Data Communication Business Group
Chunghwa Telecom Co. Ltd.
realsky at cht.com.tw
+886-2-2344-4820#4025
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: Friday, October 31, 2014 2:12 AM
To: 'CABFPub'
Subject: Re: [cabfpub] Ballot 118 - SHA1 Sunset
This issue identified by Li-Chun CHEN is filed as Bug 11. Attached please
find a corrected version of the Baseline Requirements redlined as of Ballot
118. Somehow I had not saved the fully edited version. Note that while
Ballot 118 said that the note on SHA 1 should appear at the bottom of each
of the three tables, if we did that then we should add all three notes to
the end of all of the tables, which seems unnecessarily redundant. So you’
ll see that I’ve edited only the notes at the end of the tables.
Otherwise, we’d have to copy all six lines of footnotes to tables (1), (2)
and (3), which I do not think is necessary.
This relined version also proposes to address Bugs 7 (section 9.2.4
re-numbering), 8 (erroneous cross-reference in Appendix B) and 9 (DSA table
formatting) reported by Rick Andrews.
I propose that this version be the basis for moving forward with updates to
v.1.2.2 and 1.2.3 (accepting these changes before re-editing and
re-publishing versions 1.2.2 and 1.2.3).
Please provide any objections to this proposed course of action within 24
hours so I can move forward with editing v. 1.2.2 and 1.2.3 and replacing
what we have on the public website.
Sincerely yours,
Ben
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: Thursday, October 30, 2014 9:27 AM
To: 陳立群; 'CABFPub'
Subject: Re: [cabfpub] Ballot 118 - SHA1 Sunset
Thanks. I’ll have to go back through the last several ballots and figure
out how I didn’t carry those changes forward. Then I’ll re-post them as
they should be.
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of ???
Sent: Thursday, October 30, 2014 8:28 AM
To: 'CABFPub'
Subject: Re: [cabfpub] Ballot 118 - SHA1 Sunset
I found the result as below sentences are not appeared in
https://cabforum.org/wp-content/uploads/BRv1.2.1.pdf
or
https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf
B. In Appendix A of the Baseline Requirements - Cryptographic Algorithm and
Key Requirements (Normative), add this note under Table 2, Subordinate CA
certificates:
* SHA-1 MAY be used with RSA keys in accordance with the criteria defined in
Section 9.4.2.
And amend this note at the end of each of the 3 tables.
* SHA-1 MAY be used with RSA keys in accordance with the criteria defined in
Section 9.4.2 until SHA-256 is supported widely by browsers used by a
substantial portion of relying-parties worldwide.
Below is the screen about v 1.23
Sincerely Yours,
Li-Chun CHEN
Engineer
CISSP, CISA, CISM, PMP,
Government Network Service Dept.
Data Communication Business Group
Chunghwa Telecom Co. Ltd.
realsky at cht.com.tw
+886-2-2344-4820#4025
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: Friday, October 03, 2014 4:56 AM
To: CABFPub
Subject: [cabfpub] Ballot 118 - SHA1 Sunset
Ballot 118 - SHA1 Sunset
Kelvin Yiu of Microsoft made the following motion, and Kirk Hall from Trend
Micro and Ryan Sleevi from Google have endorsed it.
Reason for Ballot
Over the last year or two, several application software providers have
announced deprecation of the SHA-1 algorithm in their software.
-- Motion Begins --
A. In the Baseline Requirements, insert the following new section 9.4.2:
9.4.2 SHA-1 Validity Period
Effective 1 January 2016, CAs MUST NOT issue any new Subscriber certificates
or Subordinate CA certificates using the SHA-1 hash algorithm. CAs MAY
continue to sign certificates to verify OCSP responses using SHA1 until 1
January 2017. This Section 9.4.2 does not apply to Root CA or CA cross
certificates. CAs MAY continue to use their existing SHA-1 Root
Certificates. SHA-2 Subscriber certificates SHOULD NOT chain up to a SHA-1
Subordinate CA Certificate.
Effective 16 January 2015, CAs SHOULD NOT issue Subscriber Certificates
utilizing the SHA-1 algorithm with an Expiry Date greater than 1 January
2017 because Application Software Providers are in the process of
deprecating and/or removing the SHA-1 algorithm from their software, and
they have communicated that CAs and Subscribers using such certificates do
so at their own risk.
B. In Appendix A of the Baseline Requirements - Cryptographic Algorithm and
Key Requirements (Normative), add this note under Table 2, Subordinate CA
certificates:
* SHA-1 MAY be used with RSA keys in accordance with the criteria defined in
Section 9.4.2.
And amend this note at the end of each of the 3 tables.
* SHA-1 MAY be used with RSA keys in accordance with the criteria defined in
Section 9.4.2 until SHA-256 is supported widely by browsers used by a
substantial portion of relying-parties worldwide.
-- Motion Ends --
The review period for this ballot shall commence at 2200 UTC on Thursday, 2
October 2014, and will close at 2200 UTC on Thursday, 9 October 2014. Unless
the motion is withdrawn during the review period, the voting period will
start immediately thereafter and will close at 2200 UTC on Thursday, 16
October 2014. Votes must be cast by posting an on-list reply to this thread.
A vote in favor of the motion must indicate a clear 'yes' in the response. A
vote against must indicate a clear 'no' in the response. A vote to abstain
must indicate a clear 'abstain' in the response. Unclear responses will not
be counted. The latest vote received from any representative of a voting
member before the close of the voting period will be counted. Voting members
are listed here: https://cabforum.org/members/ In order for the motion to be
adopted, two thirds or more of the votes cast by members in the CA category
and greater than 50% of the votes cast by members in the browser category
must be in favor. Quorum is currently nine (9) members– at least nine
members must participate in the ballot, either by voting in favor, voting
against, or abstaining.
本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利
用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密
及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共
同善盡資訊安全與個資保護責任.
Please be advised that this email message (including any attachments)
contains confidential information and may be legally privileged. If you are
not the intended recipient, please destroy this message and all attachments
from your system and do not further collect, process, or use them. Chunghwa
Telecom and all its subsidiaries and associated companies shall not be
liable for the improper or incomplete transmission of the information
contained in this email nor for any delay in its receipt or damage to your
system. If you are the intended recipient, please protect the confidential
and/or personal information contained in this email with due care. Any
unauthorized use, disclosure or distribution of this message in whole or in
part is strictly prohibited. Also, please self-inspect attachments and
hyperlinks contained in this email to ensure the information security and to
protect personal information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141031/4650d40a/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 276437 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20141031/4650d40a/attachment-0001.png
More information about the Public
mailing list