[cabfpub] Updates to Microsoft SHA-1 deprecation

Ryan Sleevi sleevi at google.com
Mon Mar 23 18:29:44 UTC 2015

On Mon, Mar 23, 2015 at 10:51 AM, Rick Andrews <Rick_Andrews at symantec.com>

> Thanks, Erwann. I missed that.
> Two questions for Anoosh:
> 1)      What’s the rationale for 1/1/2016? I’m almost certain that Tom
> said it wouldn’t be required until 1/1/2017.

While I can't speak for Microsoft, I would think it's safe to presume the
obvious rationale.

Microsoft, Mozilla, and Google have all stated that *new* certificates
(that is, *new* signatures) for SSL should not be issued after 1/1/2016.
The 1/1/2017 date applies for *existing* certificates (e.g. all those
issued *before* 1/1/2016)

The Microsoft Code Signing policy is effectively the same timeline. All
code *without* timestamps and SHA-1 will be rejected on 1/1/2016, since
it's impossible to know whether it is new or old code. If the code has a
timestamp, and it was dated before 1/1/2016, that's effectively an
attestation that the *signature* was made before 1/1/2016 (same as the SSL
date), and thus can be allowed.

All *new* code issued after 1/1/2016 (that is, any code with a timestamp
greater than 1/1/2016, or with no timestamp at all) will be rejected on
1/1/2016. Again, same dates as SSL.

> 2)      Echoing Bruce’s comment, is there any way that you can pull all
> the details together in a more understandable format? IMO, I shouldn’t have
> to read through all 5 pages of comments to see what the policy is. It’s
> great that Microsoft accepts comments (and answers them!) but if someone
> posts a question it probably means that the policy statement is lacking,
> and should be updated.
> -Rick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150323/6c9bd4b3/attachment-0003.html>

More information about the Public mailing list