[cabfpub] Updates to Microsoft SHA-1 deprecation

Dean Coclin Dean_Coclin at symantec.com
Wed Apr 29 15:42:16 UTC 2015 

Should we add this to the agenda for this week’s call?


Dean

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Anoosh Saboori
Sent: Monday, April 27, 2015 1:04 PM
To: Bruce Morton; Rick Andrews; Erwann Abalea; public at cabforum.org
Subject: Re: [cabfpub] Updates to Microsoft SHA-1 deprecation

 

My apologies for late response. I was out of office for an extended period
of time. I should be able to finalize below email this week and get back to
the thread. Thanks for your patience.

 

Anoosh

 

 

  _____  

From: Bruce Morton <bruce.morton at entrust.com>
Sent: Monday, April 27, 2015 12:13 PM
To: Anoosh Saboori; Rick Andrews; Erwann Abalea; public at cabforum.org
Subject: RE: [cabfpub] Updates to Microsoft SHA-1 deprecation 

 

Hi Anoosh,

 

Is there any update to this request?

 

Thanks, Bruce.

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Anoosh Saboori
Sent: Monday, March 23, 2015 3:35 PM
To: Rick Andrews; Erwann Abalea; public at cabforum.org
Subject: Re: [cabfpub] Updates to Microsoft SHA-1 deprecation

 

I am consolidating the feedbacks and get back to you shortly. 

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rick Andrews
Sent: Monday, March 23, 2015 10:52 AM
To: Erwann Abalea; public at cabforum.org
Subject: Re: [cabfpub] Updates to Microsoft SHA-1 deprecation

 

Thanks, Erwann. I missed that.

 

Two questions for Anoosh:

1)      What’s the rationale for 1/1/2016? I’m almost certain that Tom said
it wouldn’t be required until 1/1/2017.

2)      Echoing Bruce’s comment, is there any way that you can pull all the
details together in a more understandable format? IMO, I shouldn’t have to
read through all 5 pages of comments to see what the policy is. It’s great
that Microsoft accepts comments (and answers them!) but if someone posts a
question it probably means that the policy statement is lacking, and should
be updated.

 

-Rick

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Erwann Abalea
Sent: Monday, March 23, 2015 9:05 AM
To: public at cabforum.org
Subject: Re: [cabfpub] Updates to Microsoft SHA-1 deprecation

 

http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.as
px#pi47623=2

CRLs will be SHA2-signed by 01/01/2016. See responses by "Amerk [MSFT]".



-- 
Erwann ABALEA
 

Le 23/03/2015 16:57, Rick Andrews a écrit :

Bruce,

 

At the Beijing meeting, Tom Albertson said that by 1/1/2017, even CRLs for
SHA-1 roots had to be signed with SHA-2. 

 

Anoosh, I assume that’s still Microsoft’s policy.

 

-Rick

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Bruce Morton
Sent: Monday, March 23, 2015 7:40 AM
To: Anoosh Saboori
Cc: CABFPub
Subject: Re: [cabfpub] Updates to Microsoft SHA-1 deprecation

 

Hi Anoosh,

 

I might be the only one, but I am a little confused regarding the Windows
hashing requirements. It would be great if there was a matrix to
show/confirm your requirements per Windows version.

 

I am thinking that the following must be covered:

 

·         SSL certificates

·         Code Signing certificates

·         S/MIME certificates

·         Time-stamping certificates

·         OCSP signing certificates

·         Code signing signatures

·         Time-stamp signatures

·         CRL signatures

·         OCSP signatures

·         there must be more 


 

An issue that I want to understand is, since some certificates can be SHA-1,
can the CRL/OCSP response be signed with a SHA-1 certificate? Can the
signature be SHA-1? We would need to understand this for both root and
issuing CAs.

 

If we can nail this down, then it will be easier to draft a spec for our
implementation teams.

 

Thanks, Bruce.

 

From: Anoosh Saboori [mailto:ansaboor at microsoft.com] 
Sent: Saturday, March 21, 2015 8:29 PM
To: Bruce Morton
Cc: CABFPub
Subject: RE: [cabfpub] Updates to Microsoft SHA-1 deprecation

 

Windows enforcement dates (i.e., date at which SHA-1 certificates will be
rejected by Windows) only apply to SSL and code signing certificates. All
other types of certificates will be rejected on Windows side when SHA-1
pre-image attacks are deemed feasible by Microsoft.

 

Anoosh

 

 

From: Bruce Morton [mailto:bruce.morton at entrust.com] 
Sent: Friday, March 20, 2015 6:47 PM
To: Anoosh Saboori
Cc: CABFPub
Subject: Re: [cabfpub] Updates to Microsoft SHA-1 deprecation

 

Hi Anoosh,

 

Thank you for the update.

 

I don't think the policy for S/MIME certificates has been stated. I see some
discussion in the comments. Could you also advise how the SHA-1 deprecation
policy applies to S/MIME certificates. 

 

Thanks, Bruce.


On Mar 20, 2015, at 8:57 PM, Anoosh Saboori <ansaboor at microsoft.com> wrote:

Hello,

 

I would like to inform you that Microsoft has made update to its SHA-1
deprecation policy to accommodate developers targeting Vista/Server 2008.
Please see below.

 

http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.as
px 

 

Anoosh

 

_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public





_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150429/0a6706ca/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6130 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150429/0a6706ca/attachment-0001.p7s>

More information about the Public mailing list