[cabfpub] Proposal for modified Google SHA-1 deprecation policy

[John Randall]

Ryan-

Specific feedback from one of our customers:


·         The very disappointing situation is that Google is forcing this

·         This will create trust issues for our customers. We're a bank that depends on our customer's trust. About 30% of our customers use Chrome.

We at Trustwave are working diligently to meet your deadlines but this is indicative of the feedback we are getting from our customers. There is no disagreement in the CA community that SHA-1 needs to be deprecated. But you are forcing the issue in a manner that is only going to cause immense confusion for users and increase support costs for website owners. Your goals are noble and we support them, but your deadlines are very challenging. We thank Microsoft for giving us years of notice – we wish that Google would do the same. Please, use the same deadlines as Microsoft and then hold us (and our customers) accountable. There is absolutely no benefit to anyone with your deadlines. If we all standardize on the same deadlines then the CA and browser industries can truly work together.

You are in the browser business and we acknowledge the competitive pressures between all browser vendors. But we are in the CA business and need to counsel our customers on the reality of this situation. As you can see, our customers are already recognizing that you are working in isolation with your deadlines.

Cheers-

John Randall
Trustwave



From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
Sent: Friday, August 29, 2014 3:18 AM
To: CABFPub (public at cabforum.org)
Subject: [cabfpub] Proposal for modified Google SHA-1 deprecation policy

Well, that was quick – rejected in 10 minutes flat.

Thanks for your consideration.

From: sleevi at google.com<mailto:sleevi at google.com> [mailto:sleevi at google.com] On Behalf Of Ryan Sleevi
Sent: Thursday, August 28, 2014 7:14 PM
To: Kirk Hall (RD-US)
Cc: blink-dev; security-dev; CABFPub (public at cabforum.org<mailto:public at cabforum.org>); net-dev; steve.medin at gmail.com<mailto:steve.medin at gmail.com>; Chris Palmer
Subject: Re: Proposal for modified Google SHA-1 deprecation policy


Hi Kirk,

I feel like I have sufficiently explained our concerns and motivations throughout this thread, with both you and other CAs, that it should be readily apparent that this neither meets our goals nor helps our users.

I appreciate your thoughtful consideration in writing it.

Best,
Ryan
On Aug 28, 2014 7:04 PM, "kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>" <kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>> wrote:
Ryan and Chris – here is a serious proposal for a modified Google SHA-1 policy.  It meets all of your stated goals.  Please give it some consideration.

1.  SHA-1 certs issued on or after [Nov. 1, 2014] that expire on or after January 1, 2017 get a double whammy bad UI in Google upon issuance – red slash and nasty click-throughs.  (This will stop issuance of 2017 SHA-1 certs this fall.)

2.  SHA-1 certs issued before [Nov. 1, 2014] that expire on or after January 1, 2017 get a double whammy bad UI in Google starting [March 1, 2015] – red slash only and nasty click-throughs.   (This will force existing websites with 2017 SHA-1 certs to change them within the next six months).

Result: All 2017 SHA-1 certs will be gone by next March 2015 – which certainly meets your goals.  Customers with existing 2017 certs can get through this holiday season, CAs can get the message out.

Advantages:

1.  CAs that have never issued 2017 certs, and never will (like Trend Micro) and their customers are not affected – that’s appropriate, as we have never been a part of this problem.

2.  CAs that have issued three year SHA-1 certs expiring in 2017 will stop by this fall.

3.  CAs that have issued 2017 certs in the past (and their customers) will be affected, but will have six months to adjust.  That will be a much smaller number of customers affected than if those with 2016 certs are forced to change their certs twice (in 2014 and again in 2015).

4.  All SHA-1 certs will likely be gone by next spring.

I don’t think Google should spend much time worrying about how CAs communicate with their customers about the need to move to SHA-256 before 2017 – that’s for us to worry about, and we are all strongly incentivized to get the message out (selling a 2017 cert that doesn’t work creates legal problems, and none of us wants to be dealing with angry SHA-1 customers in late 2016 who have to switch to SHA-256).  We may also be able to get behind Google’s policy if it is revised – something that isn’t the case today.

You mentioned somewhere that you worried that simply deprecating SHA-1 certs as of 2017 could create a big customer service burden on Google as of late 2016 or early 2017.  I don’t think that’s the case with this new proposed policy, as all the negative UI effects will happen in 2014-15.  Plus, I predict Google will be deluged with customer service complaints under your current policy, when thousands of websites start showing as “untrusted” in the next 6-12 weeks.  Why not make life easier for Google with a revised policy?

So what do you think?  Can we make a change to the policy that is focused on the real problem (2017 certs)?

Thanks for your consideration.

Kirk R. Hall
Operations Director, Trust Services
Trend Micro





TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.






TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.


To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe at chromium.org<mailto:security-dev+unsubscribe at chromium.org>.



TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.




________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140918/8c657d79/attachment-0001.html