[cabfpub] Updates to Microsoft SHA-1 deprecation

Erwann Abalea erwann.abalea at opentrust.com
Mon Mar 23 16:05:27 UTC 2015


http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx#pi47623=2

CRLs will be SHA2-signed by 01/01/2016. See responses by "Amerk [MSFT]".

-- 
Erwann ABALEA

Le 23/03/2015 16:57, Rick Andrews a écrit :
>
> Bruce,
>
> At the Beijing meeting, Tom Albertson said that by 1/1/2017, even CRLs 
> for SHA-1 roots had to be signed with SHA-2.
>
> Anoosh, I assume that’s still Microsoft’s policy.
>
> -Rick
>
> *From:*public-bounces at cabforum.org 
> [mailto:public-bounces at cabforum.org] *On Behalf Of *Bruce Morton
> *Sent:* Monday, March 23, 2015 7:40 AM
> *To:* Anoosh Saboori
> *Cc:* CABFPub
> *Subject:* Re: [cabfpub] Updates to Microsoft SHA-1 deprecation
>
> Hi Anoosh,
>
> I might be the only one, but I am a little confused regarding the 
> Windows hashing requirements. It would be great if there was a matrix 
> to show/confirm your requirements per Windows version.
>
> I am thinking that the following must be covered:
>
> ·SSL certificates
>
> ·Code Signing certificates
>
> ·S/MIME certificates
>
> ·Time-stamping certificates
>
> ·OCSP signing certificates
>
> ·Code signing signatures
>
> ·Time-stamp signatures
>
> ·CRL signatures
>
> ·OCSP signatures
>
> ·there must be more …
>
> An issue that I want to understand is, since some certificates can be 
> SHA-1, can the CRL/OCSP response be signed with a SHA-1 certificate? 
> Can the signature be SHA-1? We would need to understand this for both 
> root and issuing CAs.
>
> If we can nail this down, then it will be easier to draft a spec for 
> our implementation teams.
>
> Thanks, Bruce.
>
> *From:*Anoosh Saboori [mailto:ansaboor at microsoft.com]
> *Sent:* Saturday, March 21, 2015 8:29 PM
> *To:* Bruce Morton
> *Cc:* CABFPub
> *Subject:* RE: [cabfpub] Updates to Microsoft SHA-1 deprecation
>
> Windows enforcement dates (i.e., date at which SHA-1 certificates will 
> be rejected by Windows) only apply to SSL and code signing 
> certificates. All other types of certificates will be rejected on 
> Windows side when SHA-1 pre-image attacks are deemed feasible by 
> Microsoft.
>
> Anoosh
>
> *From:*Bruce Morton [mailto:bruce.morton at entrust.com]
> *Sent:* Friday, March 20, 2015 6:47 PM
> *To:* Anoosh Saboori
> *Cc:* CABFPub
> *Subject:* Re: [cabfpub] Updates to Microsoft SHA-1 deprecation
>
> Hi Anoosh,
>
> Thank you for the update.
>
> I don't think the policy for S/MIME certificates has been stated. I 
> see some discussion in the comments. Could you also advise how the 
> SHA-1 deprecation policy applies to S/MIME certificates.
>
> Thanks, Bruce.
>
>
> On Mar 20, 2015, at 8:57 PM, Anoosh Saboori <ansaboor at microsoft.com 
> <mailto:ansaboor at microsoft.com>> wrote:
>
>     Hello,
>
>     I would like to inform you that Microsoft has made update to its
>     SHA-1 deprecation policy to accommodate developers targeting
>     Vista/Server 2008. Please see below.
>
>     http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx
>
>
>     Anoosh
>
>     _______________________________________________
>     Public mailing list
>     Public at cabforum.org <mailto:Public at cabforum.org>
>     https://cabforum.org/mailman/listinfo/public
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150323/a975c074/attachment-0003.html>


More information about the Public mailing list