[cabfpub] Proposal for modified Google SHA-1 deprecation policy

Chris Palmer palmer at google.com
Thu Sep 18 22:06:07 UTC 2014


On Thu, Sep 18, 2014 at 2:39 PM, John Randall <JRandall at trustwave.com> wrote:

> We at Trustwave are working diligently to meet your deadlines but this is indicative of the feedback we are getting from our customers.

Did you issue the customers SHA-1-using certificates that are valid
past 1 Jan 2017?

If not, there's no problem.

If so, then you did not pay serious attention to the deadline that
Microsoft gave with, as you say, years of notice.

> Please, use the same deadlines as Microsoft and then hold us (and our customers) accountable. There is absolutely no benefit to anyone with your deadlines. If we all standardize on the same deadlines then the CA and browser industries can truly work together.

That sounds like, effectively, a request for browsers to suddenly
hard-fail SHA-1 certificates on 1 Jan 2017. But we know from
experience that late in 2016, we would hear requests to push the
deadline back... Therefore, this gradual sunsetting is a way to avoid
that bad outcome.

Keep in mind also that, as we described
(http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html),
the UI indication in Chrome 39 will look like the mixed passive
content warning (the yellow triangle overlaid on the lock). Several of
the bank web sites I visited already have mixed passive content, so
effectively will not look any more or less trustworthy in Chrome 39,
as a result of SHA-1-based signatures.

(A lot of the bank sites I just looked at don't even default to HTTPS at all...)



More information about the Public mailing list