[cabfpub] Updates to Microsoft SHA-1 deprecation
Anoosh Saboori
ansaboor at microsoft.com
Thu Apr 30 12:23:32 UTC 2015
I wont be able to join since I am at //Build conference. I will share my updates via email.
________________________________
From: Dean Coclin <Dean_Coclin at symantec.com>
Sent: Wednesday, April 29, 2015 8:42 AM
To: Anoosh Saboori; Bruce Morton; Rick Andrews; Erwann Abalea; public at cabforum.org
Subject: RE: [cabfpub] Updates to Microsoft SHA-1 deprecation
Should we add this to the agenda for this week’s call?
Dean
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Anoosh Saboori
Sent: Monday, April 27, 2015 1:04 PM
To: Bruce Morton; Rick Andrews; Erwann Abalea; public at cabforum.org
Subject: Re: [cabfpub] Updates to Microsoft SHA-1 deprecation
My apologies for late response. I was out of office for an extended period of time. I should be able to finalize below email this week and get back to the thread. Thanks for your patience.
Anoosh
________________________________
From: Bruce Morton <bruce.morton at entrust.com<mailto:bruce.morton at entrust.com>>
Sent: Monday, April 27, 2015 12:13 PM
To: Anoosh Saboori; Rick Andrews; Erwann Abalea; public at cabforum.org<mailto:public at cabforum.org>
Subject: RE: [cabfpub] Updates to Microsoft SHA-1 deprecation
Hi Anoosh,
Is there any update to this request?
Thanks, Bruce.
From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Anoosh Saboori
Sent: Monday, March 23, 2015 3:35 PM
To: Rick Andrews; Erwann Abalea; public at cabforum.org<mailto:public at cabforum.org>
Subject: Re: [cabfpub] Updates to Microsoft SHA-1 deprecation
I am consolidating the feedbacks and get back to you shortly.
From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Rick Andrews
Sent: Monday, March 23, 2015 10:52 AM
To: Erwann Abalea; public at cabforum.org<mailto:public at cabforum.org>
Subject: Re: [cabfpub] Updates to Microsoft SHA-1 deprecation
Thanks, Erwann. I missed that.
Two questions for Anoosh:
1) What’s the rationale for 1/1/2016? I’m almost certain that Tom said it wouldn’t be required until 1/1/2017.
2) Echoing Bruce’s comment, is there any way that you can pull all the details together in a more understandable format? IMO, I shouldn’t have to read through all 5 pages of comments to see what the policy is. It’s great that Microsoft accepts comments (and answers them!) but if someone posts a question it probably means that the policy statement is lacking, and should be updated.
-Rick
From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Erwann Abalea
Sent: Monday, March 23, 2015 9:05 AM
To: public at cabforum.org<mailto:public at cabforum.org>
Subject: Re: [cabfpub] Updates to Microsoft SHA-1 deprecation
http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx#pi47623=2
CRLs will be SHA2-signed by 01/01/2016. See responses by "Amerk [MSFT]".
--
Erwann ABALEA
Le 23/03/2015 16:57, Rick Andrews a écrit :
Bruce,
At the Beijing meeting, Tom Albertson said that by 1/1/2017, even CRLs for SHA-1 roots had to be signed with SHA-2.
Anoosh, I assume that’s still Microsoft’s policy.
-Rick
From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Bruce Morton
Sent: Monday, March 23, 2015 7:40 AM
To: Anoosh Saboori
Cc: CABFPub
Subject: Re: [cabfpub] Updates to Microsoft SHA-1 deprecation
Hi Anoosh,
I might be the only one, but I am a little confused regarding the Windows hashing requirements. It would be great if there was a matrix to show/confirm your requirements per Windows version.
I am thinking that the following must be covered:
• SSL certificates
• Code Signing certificates
• S/MIME certificates
• Time-stamping certificates
• OCSP signing certificates
• Code signing signatures
• Time-stamp signatures
• CRL signatures
• OCSP signatures
• there must be more …
An issue that I want to understand is, since some certificates can be SHA-1, can the CRL/OCSP response be signed with a SHA-1 certificate? Can the signature be SHA-1? We would need to understand this for both root and issuing CAs.
If we can nail this down, then it will be easier to draft a spec for our implementation teams.
Thanks, Bruce.
From: Anoosh Saboori [mailto:ansaboor at microsoft.com]
Sent: Saturday, March 21, 2015 8:29 PM
To: Bruce Morton
Cc: CABFPub
Subject: RE: [cabfpub] Updates to Microsoft SHA-1 deprecation
Windows enforcement dates (i.e., date at which SHA-1 certificates will be rejected by Windows) only apply to SSL and code signing certificates. All other types of certificates will be rejected on Windows side when SHA-1 pre-image attacks are deemed feasible by Microsoft.
Anoosh
From: Bruce Morton [mailto:bruce.morton at entrust.com]
Sent: Friday, March 20, 2015 6:47 PM
To: Anoosh Saboori
Cc: CABFPub
Subject: Re: [cabfpub] Updates to Microsoft SHA-1 deprecation
Hi Anoosh,
Thank you for the update.
I don't think the policy for S/MIME certificates has been stated. I see some discussion in the comments. Could you also advise how the SHA-1 deprecation policy applies to S/MIME certificates.
Thanks, Bruce.
On Mar 20, 2015, at 8:57 PM, Anoosh Saboori <ansaboor at microsoft.com<mailto:ansaboor at microsoft.com>> wrote:
Hello,
I would like to inform you that Microsoft has made update to its SHA-1 deprecation policy to accommodate developers targeting Vista/Server 2008. Please see below.
http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx
Anoosh
_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150430/9819fa6d/attachment-0003.html>
More information about the Public
mailing list