[cabfpub] FW: Ballot - expiration of SHA1 certificates

Rob Stradling rob.stradling at comodo.com
Mon Sep 8 12:56:50 UTC 2014

On 08/09/14 13:24, Erwann Abalea wrote:
>> *_9.4.3 Subordinate CA Certificates_*
>> __
>> _Effective 1 January 2016, CAs MUST NOT issue Subordinate CA
>> Certificates that utilize the SHA-1 algorithm._
> Even for non-{SSL, CS} purpose?

Non-SSL purposes are out of scope for this proposed ballot, IIUC.

BRs scope: "This version of the Requirements only addresses Certificates 
intended to be used for authenticating servers
accessible through the Internet."

Tom wrote:
"I think we can offer similar language for code signing certs and 
possibly other BRs once we have hashed this out for SSL."

>> _  CAs MUST NOT issue SHA-2 Subscriber certificates under SHA-1
>> Subordinate CA Certificates._
> Why? Issuing SHA2-signed subscriber certificates under a CA has no
> impact on the resistance of the CA's own certificate, whether this one
> is SHA1-signed or anything else.

Also, what if there are 2 Subordinate CA Certificates that contain the 
same Subject/Key, one signed using SHA-1 and the other signed using SHA-2?

TBH, I'm not a fan of the concept of a certificate being "issued under" 
a CA certificate.
Certificates are issued by a CA, not by a CA Certificate.
CA Certificates are used for certificate verification, not issuance.


Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list