[cabfpub] Proposal for modified Google SHA-1 deprecation policy

Doug Beattie doug.beattie at globalsign.com
Wed Sep 3 13:56:29 UTC 2014 

Adriano,

That is a great suggestions,  have you heard from Ryan on this yet?  I also
find it hard to locate and reference the current Google Chrome baseline
within the long thread in the google groups discussion.

Doug

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Adriano Santoni - Actalis S.p.A.
> Sent: Friday, August 29, 2014 2:57 AM
> To: public at cabforum.org
> Subject: Re: [cabfpub] Proposal for modified Google SHA-1 deprecation
policy
> 
> Ryan,
> 
> apart from the discussion, it would be a good thing if you published your
plan on
> some Google's web site (like e.g.
> http://www.chromium.org/Home/chromium-security/root-ca-policy)
> 
> It would be easier for CAs to show their customers in a more convincing
way
> what Google is going to do.
> In other words, publishing your intent on a web site would have a little
bit more
> officiality -- that would help CAs.
> 
> How about that?
> 
> Thank you
>    Adriano
> 
> 
> 
> Il 29/08/2014 04:13, Ryan Sleevi ha scritto:
> >
> > Hi Kirk,
> >
> > I feel like I have sufficiently explained our concerns and motivations
> > throughout this thread, with both you and other CAs, that it should be
> > readily apparent that this neither meets our goals nor helps our users.
> >
> > I appreciate your thoughtful consideration in writing it.
> >
> > Best,
> > Ryan
> >
> > On Aug 28, 2014 7:04 PM, "kirk_hall at trendmicro.com
> > <mailto:kirk_hall at trendmicro.com>" <kirk_hall at trendmicro.com
> > <mailto:kirk_hall at trendmicro.com>> wrote:
> >
> >     Ryan and Chris - here is a serious proposal for a modified Google
> >     SHA-1 policy.  It meets all of your stated goals.  Please give it
> >     some consideration.
> >
> >     1. SHA-1 certs issued on or after [Nov. 1, 2014] that expire on or
> >     after January 1, 2017 get a double whammy bad UI in Google upon
> >     issuance - red slash and nasty click-throughs.  (This will stop
> >     issuance of 2017 SHA-1 certs this fall.)
> >
> >     2. SHA-1 certs issued before [Nov. 1, 2014] that expire on or
> >     after January 1, 2017 get a double whammy bad UI in Google
> >     starting [March 1, 2015] - red slash only and nasty
> >     click-throughs.   (This will force existing websites with 2017
> >     SHA-1 certs to change them within the next six months).
> >
> >     Result: All 2017 SHA-1 certs will be gone by next March 2015 -
> >     which certainly meets your goals.  Customers with existing 2017
> >     certs can get through this holiday season, CAs can get the message
> >     out.
> >
> >     Advantages:
> >
> >     1. CAs that have never issued 2017 certs, and never will (like
> >     Trend Micro) and their customers are not affected - that's
> >     appropriate, as we have never been a part of this problem.
> >
> >     2. CAs that have issued three year SHA-1 certs expiring in 2017
> >     will stop by this fall.
> >
> >     3. CAs that have issued 2017 certs in the past (and their
> >     customers) will be affected, but will have six months to adjust.
> >     That will be a much smaller number of customers affected than if
> >     those with 2016 certs are forced to change their certs twice (in
> >     2014 and again in 2015).
> >
> >     4. All SHA-1 certs will likely be gone by next spring.
> >
> >     I don't think Google should spend much time worrying about how CAs
> >     communicate with their customers about the need to move to SHA-256
> >     before 2017 - that's for us to worry about, and we are all
> >     strongly incentivized to get the message out (selling a 2017 cert
> >     that doesn't work creates legal problems, and none of us wants to
> >     be dealing with angry SHA-1 customers in late 2016 who have to
> >     switch to SHA-256).  We may also be able to get behind Google's
> >     policy if it is revised - something that isn't the case today.
> >
> >     You mentioned somewhere that you worried that simply deprecating
> >     SHA-1 certs as of 2017 could create a big customer service burden
> >     on Google as of late 2016 or early 2017.  I don't think that's the
> >     case with this new proposed policy, as all the negative UI effects
> >     will happen in 2014-15.  Plus, I predict Google will be deluged
> >     with customer service complaints under your current policy, when
> >     thousands of websites start showing as "untrusted" in the next
> >     6-12 weeks.  Why not make life easier for Google with a revised
> >     policy?
> >
> >     So what do you think?  Can we make a change to the policy that is
> >     focused on the real problem (2017 certs)?
> >
> >     Thanks for your consideration.
> >
> >     */Kirk R. Hall/*
> >
> >     Operations Director, Trust Services
> >
> >     Trend Micro
> >
> >     TREND MICRO EMAIL NOTICE
> >     The information contained in this email and any attachments is
confidential
> >     and may be subject to copyright or other intellectual property
protection.
> >     If you are not the intended recipient, you are not authorized to use
or
> >     disclose this information, and we request that you notify us by
reply mail or
> >     telephone and delete the original message from your mail system.
> >
> >
> >
> > _______________________________________________
> > Public mailing list
> > Public at cabforum.org
> > https://cabforum.org/mailman/listinfo/public
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5615 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140903/0d53de78/attachment.p7s>

More information about the Public mailing list