[cabfpub] Updates to Microsoft SHA-1 deprecation
sleevi at google.com
Mon Mar 23 11:29:44 MST 2015
On Mon, Mar 23, 2015 at 10:51 AM, Rick Andrews <Rick_Andrews at symantec.com>
> Thanks, Erwann. I missed that.
> Two questions for Anoosh:
> 1) What’s the rationale for 1/1/2016? I’m almost certain that Tom
> said it wouldn’t be required until 1/1/2017.
While I can't speak for Microsoft, I would think it's safe to presume the
Microsoft, Mozilla, and Google have all stated that *new* certificates
(that is, *new* signatures) for SSL should not be issued after 1/1/2016.
The 1/1/2017 date applies for *existing* certificates (e.g. all those
issued *before* 1/1/2016)
The Microsoft Code Signing policy is effectively the same timeline. All
code *without* timestamps and SHA-1 will be rejected on 1/1/2016, since
it's impossible to know whether it is new or old code. If the code has a
timestamp, and it was dated before 1/1/2016, that's effectively an
attestation that the *signature* was made before 1/1/2016 (same as the SSL
date), and thus can be allowed.
All *new* code issued after 1/1/2016 (that is, any code with a timestamp
greater than 1/1/2016, or with no timestamp at all) will be rejected on
1/1/2016. Again, same dates as SSL.
> 2) Echoing Bruce’s comment, is there any way that you can pull all
> the details together in a more understandable format? IMO, I shouldn’t have
> to read through all 5 pages of comments to see what the policy is. It’s
> great that Microsoft accepts comments (and answers them!) but if someone
> posts a question it probably means that the policy statement is lacking,
> and should be updated.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public