[cabfpub] FW: Ballot - expiration of SHA1 certificates
Rob Stradling
rob.stradling at comodo.com
Mon Sep 8 05:56:50 MST 2014
On 08/09/14 13:24, Erwann Abalea wrote:
<snip>
>> *_9.4.3 Subordinate CA Certificates_*
>>
>> __
>>
>> _Effective 1 January 2016, CAs MUST NOT issue Subordinate CA
>> Certificates that utilize the SHA-1 algorithm._
>>
>
> Even for non-{SSL, CS} purpose?
Non-SSL purposes are out of scope for this proposed ballot, IIUC.
BRs scope: "This version of the Requirements only addresses Certificates
intended to be used for authenticating servers
accessible through the Internet."
Tom wrote:
"I think we can offer similar language for code signing certs and
possibly other BRs once we have hashed this out for SSL."
>> _ CAs MUST NOT issue SHA-2 Subscriber certificates under SHA-1
>> Subordinate CA Certificates._
>
> Why? Issuing SHA2-signed subscriber certificates under a CA has no
> impact on the resistance of the CA's own certificate, whether this one
> is SHA1-signed or anything else.
Also, what if there are 2 Subordinate CA Certificates that contain the
same Subject/Key, one signed using SHA-1 and the other signed using SHA-2?
TBH, I'm not a fan of the concept of a certificate being "issued under"
a CA certificate.
Certificates are issued by a CA, not by a CA Certificate.
CA Certificates are used for certificate verification, not issuance.
<snip>
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list