[cabfpub] Ballot - expiration of SHA1 certificates

Eddy Nigg eddy_nigg at startcom.org
Sat Sep 13 22:01:48 UTC 2014

On 09/13/2014 02:12 AM, Tom Albertson wrote:
> Hi there - sorry to drop off the face of the earth there, I was oof 
> and got busy this week.  Great feedback!  I have attached to this 
> email a revised ballot incorporating some of your feedback, and am 
> writing specific responses on a few topics raised.

Thanks Tom!

> If CAs are actually hurting to meet this deadline I would love to hear 
> from them, if they need more time then we can allow it on their audits 
> etc -- but I am not certain that 1 Jan 2015 is any better than 10 
> November 2014.

Lets say that four month is double of two month, probably significant 
for implementation on short notice. On the other hand 1st of January 
isn't really must worse than 1st of November in this respect and it 
should be considered.

November is also kind of random instead of the end of the year/new year 
(at least psychologically it works for me better :-) ).

> @rick_andrews @brian - OCSP, 3 uses - 1. The ResponderID construct 
> (through KeyHash), to identify a certificate by the hash of its public 
> key. 2. The CertID construct. 3. The signature of the OCSP response.
> Tom:  Correct - Windows will enforce the SHA1 policy only on the 3) 
> signature of the OCSP response. The SHA1 policy does not apply to any 
> other uses of SHA1, such as the ResponderID construct, key hash or 
> CertID.

This means that the response must be SHA2 but the signer can remain 
SHA1? Considering the short lifetime of the response signature, 
shouldn't this be the other way around?

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140914/3454e1cd/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4553 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140914/3454e1cd/attachment-0001.p7s>

More information about the Public mailing list