[cabfpub] Updates to Microsoft SHA-1 deprecation
Erwann Abalea
erwann.abalea at opentrust.com
Mon Mar 23 16:05:27 UTC 2015
http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx#pi47623=2
CRLs will be SHA2-signed by 01/01/2016. See responses by "Amerk [MSFT]".
--
Erwann ABALEA
Le 23/03/2015 16:57, Rick Andrews a écrit :
>
> Bruce,
>
> At the Beijing meeting, Tom Albertson said that by 1/1/2017, even CRLs
> for SHA-1 roots had to be signed with SHA-2.
>
> Anoosh, I assume that’s still Microsoft’s policy.
>
> -Rick
>
> *From:*public-bounces at cabforum.org
> [mailto:public-bounces at cabforum.org] *On Behalf Of *Bruce Morton
> *Sent:* Monday, March 23, 2015 7:40 AM
> *To:* Anoosh Saboori
> *Cc:* CABFPub
> *Subject:* Re: [cabfpub] Updates to Microsoft SHA-1 deprecation
>
> Hi Anoosh,
>
> I might be the only one, but I am a little confused regarding the
> Windows hashing requirements. It would be great if there was a matrix
> to show/confirm your requirements per Windows version.
>
> I am thinking that the following must be covered:
>
> ·SSL certificates
>
> ·Code Signing certificates
>
> ·S/MIME certificates
>
> ·Time-stamping certificates
>
> ·OCSP signing certificates
>
> ·Code signing signatures
>
> ·Time-stamp signatures
>
> ·CRL signatures
>
> ·OCSP signatures
>
> ·there must be more …
>
> An issue that I want to understand is, since some certificates can be
> SHA-1, can the CRL/OCSP response be signed with a SHA-1 certificate?
> Can the signature be SHA-1? We would need to understand this for both
> root and issuing CAs.
>
> If we can nail this down, then it will be easier to draft a spec for
> our implementation teams.
>
> Thanks, Bruce.
>
> *From:*Anoosh Saboori [mailto:ansaboor at microsoft.com]
> *Sent:* Saturday, March 21, 2015 8:29 PM
> *To:* Bruce Morton
> *Cc:* CABFPub
> *Subject:* RE: [cabfpub] Updates to Microsoft SHA-1 deprecation
>
> Windows enforcement dates (i.e., date at which SHA-1 certificates will
> be rejected by Windows) only apply to SSL and code signing
> certificates. All other types of certificates will be rejected on
> Windows side when SHA-1 pre-image attacks are deemed feasible by
> Microsoft.
>
> Anoosh
>
> *From:*Bruce Morton [mailto:bruce.morton at entrust.com]
> *Sent:* Friday, March 20, 2015 6:47 PM
> *To:* Anoosh Saboori
> *Cc:* CABFPub
> *Subject:* Re: [cabfpub] Updates to Microsoft SHA-1 deprecation
>
> Hi Anoosh,
>
> Thank you for the update.
>
> I don't think the policy for S/MIME certificates has been stated. I
> see some discussion in the comments. Could you also advise how the
> SHA-1 deprecation policy applies to S/MIME certificates.
>
> Thanks, Bruce.
>
>
> On Mar 20, 2015, at 8:57 PM, Anoosh Saboori <ansaboor at microsoft.com
> <mailto:ansaboor at microsoft.com>> wrote:
>
> Hello,
>
> I would like to inform you that Microsoft has made update to its
> SHA-1 deprecation policy to accommodate developers targeting
> Vista/Server 2008. Please see below.
>
> http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx
>
>
> Anoosh
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org <mailto:Public at cabforum.org>
> https://cabforum.org/mailman/listinfo/public
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150323/a975c074/attachment-0003.html>
More information about the Public
mailing list