[cabfpub] ZDNet article about implementation date for Google SHA-1 deprecation policy

Ryan Sleevi sleevi at google.com
Tue Sep 2 16:42:14 UTC 2014 

Hi Kirk,

In order to help avoid fragmenting this discussion in multiple forums or
threads, I've replied to the proposal and hope you can do the same.


On Tue, Sep 2, 2014 at 8:33 AM, kirk_hall at trendmicro.com <
kirk_hall at trendmicro.com> wrote:

>  Ryan, this recent article in ZDNet about Chrome’s deprecation of SHA-1
> raises doubt about when the deprecation will occur – Chrome 39 or later.
> See excerpts below, which say the implementation date is still under
> “active review and discussion.”
>
>
>
>
> http://www.zdnet.com/google-accelerates-end-of-sha-1-support-certificate-authorities-nervous-7000033159/
>
>
>
> Obviously the implementation date is of enormous importance to our
> customers – especially if the actual implementation date will come after
> the new year.  We are all working on our messaging now, and would like to
> get it right.
>
>
>
> Can you let us know if the date will be after Chrome v39?
>
>
>
> Thanks.
>
>
>
> *Kirk R. Hall*
>
> Operations Director, Trust Services
>
> Trend Micro
>
> +1.503.753.3088
>
>
>
> *[Excerpts from ZDNet article]*
>
>
>
> ***When will Google implement this change? I would argue that this is
> unclear, but the CASC [CA Security Council] is claiming that the schedule
> is for Chrome 39. The current stable version is Chrome 37. I'm told by a
> Symantec employee that Google gave Chrome 39 as a target in a recent
> conference call of members of the CA/Browser Forum. And in a mailing list
> discussion on August 12, Ryan Sleevi, a Senior Software Engineer at
> Google who works on the cryptography in the Chromium platform, certainly
> seems to say that he's planning to implement the change in Chrome 39.
>
>
>
> In fact, the first dev and canary builds of Chrome 39 came out over the
> weekend and they do not implement the proposed behavior. Sleevi says that
> it is not implemented and that "... it is still under active review and
> discussion." There is a defined process for feature deprecation in
> Chromium. It looks long and complicated and getting it done by Chrome 39
> looks tough to me.
>
>
>
> The CASC says, based on the assumption of an implementation in Chrome 39,
> that Google is being too aggressive. The schedule for Chrome 39 would see
> it released to the stable channel in or about late November, at the height
> of the holiday shopping season. If consumers start seeing what looks like
> an HTTPS error, which they have been told to take as a warning of
> potentially fraudulent activity, the result could be lost sales for
> commerce sites. ***
>
>
>
>
>
> TREND MICRO EMAIL NOTICE
> The information contained in this email and any attachments is confidential
> and may be subject to copyright or other intellectual property protection.
> If you are not the intended recipient, you are not authorized to use or
> disclose this information, and we request that you notify us by reply mail or
> telephone and delete the original message from your mail system.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140902/bdc53bf4/attachment-0003.html>

More information about the Public mailing list