[cabfpub] Updates to Microsoft SHA-1 deprecation

Bruce Morton bruce.morton at entrust.com
Mon Mar 23 07:40:06 MST 2015


Hi Anoosh,

I might be the only one, but I am a little confused regarding the Windows hashing requirements. It would be great if there was a matrix to show/confirm your requirements per Windows version.

I am thinking that the following must be covered:


*         SSL certificates

*         Code Signing certificates

*         S/MIME certificates

*         Time-stamping certificates

*         OCSP signing certificates

*         Code signing signatures

*         Time-stamp signatures

*         CRL signatures

*         OCSP signatures

*         there must be more ...

An issue that I want to understand is, since some certificates can be SHA-1, can the CRL/OCSP response be signed with a SHA-1 certificate? Can the signature be SHA-1? We would need to understand this for both root and issuing CAs.

If we can nail this down, then it will be easier to draft a spec for our implementation teams.

Thanks, Bruce.

From: Anoosh Saboori [mailto:ansaboor at microsoft.com]
Sent: Saturday, March 21, 2015 8:29 PM
To: Bruce Morton
Cc: CABFPub
Subject: RE: [cabfpub] Updates to Microsoft SHA-1 deprecation

Windows enforcement dates (i.e., date at which SHA-1 certificates will be rejected by Windows) only apply to SSL and code signing certificates. All other types of certificates will be rejected on Windows side when SHA-1 pre-image attacks are deemed feasible by Microsoft.

Anoosh


From: Bruce Morton [mailto:bruce.morton at entrust.com]
Sent: Friday, March 20, 2015 6:47 PM
To: Anoosh Saboori
Cc: CABFPub
Subject: Re: [cabfpub] Updates to Microsoft SHA-1 deprecation

Hi Anoosh,

Thank you for the update.

I don't think the policy for S/MIME certificates has been stated. I see some discussion in the comments. Could you also advise how the SHA-1 deprecation policy applies to S/MIME certificates.

Thanks, Bruce.

On Mar 20, 2015, at 8:57 PM, Anoosh Saboori <ansaboor at microsoft.com<mailto:ansaboor at microsoft.com>> wrote:
Hello,

I would like to inform you that Microsoft has made update to its SHA-1 deprecation policy to accommodate developers targeting Vista/Server 2008. Please see below.

http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

Anoosh

_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150323/ed6a3cbe/attachment.html 


More information about the Public mailing list