[cabfpub] ZDNet article about implementation date for Google SHA-1 deprecation policy

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Tue Sep 2 15:33:01 UTC 2014


Ryan, this recent article in ZDNet about Chrome's deprecation of SHA-1 raises doubt about when the deprecation will occur - Chrome 39 or later.  See excerpts below, which say the implementation date is still under "active review and discussion."

http://www.zdnet.com/google-accelerates-end-of-sha-1-support-certificate-authorities-nervous-7000033159/

Obviously the implementation date is of enormous importance to our customers - especially if the actual implementation date will come after the new year.  We are all working on our messaging now, and would like to get it right.

Can you let us know if the date will be after Chrome v39?

Thanks.

Kirk R. Hall
Operations Director, Trust Services
Trend Micro
+1.503.753.3088

[Excerpts from ZDNet article]

***When will Google implement this change? I would argue that this is unclear, but the CASC [CA Security Council] is claiming that the schedule is for Chrome 39. The current stable version is Chrome 37. I'm told by a Symantec employee that Google gave Chrome 39 as a target in a recent conference call of members of the CA/Browser Forum. And in a mailing list discussion on August 12, Ryan Sleevi, a Senior Software Engineer at Google who works on the cryptography in the Chromium platform, certainly seems to say that he's planning to implement the change in Chrome 39.

In fact, the first dev and canary builds of Chrome 39 came out over the weekend and they do not implement the proposed behavior. Sleevi says that it is not implemented and that "... it is still under active review and discussion." There is a defined process for feature deprecation in Chromium. It looks long and complicated and getting it done by Chrome 39 looks tough to me.

The CASC says, based on the assumption of an implementation in Chrome 39, that Google is being too aggressive. The schedule for Chrome 39 would see it released to the stable channel in or about late November, at the height of the holiday shopping season. If consumers start seeing what looks like an HTTPS error, which they have been told to take as a warning of potentially fraudulent activity, the result could be lost sales for commerce sites. ***



<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140902/6172fd9b/attachment-0002.html>


More information about the Public mailing list