[cabfpub] Microsoft Proposed Updates to the SHA-1 Deprecation Timeline

Jody Cloutier jodycl at microsoft.com
Fri Nov 6 19:55:43 UTC 2015


I’ll leave it to Sakib to respond.

From: Doug Beattie [mailto:doug.beattie at globalsign.com]
Sent: Friday, November 6, 2015 10:52 AM
To: Wayne Thayer <wthayer at godaddy.com>; Bruce Morton <bruce.morton at entrust.com>; Jody Cloutier <jodycl at microsoft.com>; public at cabforum.org
Cc: Magnus Nyström <mnystrom at microsoft.com>; Nazmus Sakib <mdsakib at microsoft.com>
Subject: RE: [cabfpub] Microsoft Proposed Updates to the SHA-1 Deprecation Timeline

Jody,

I sent an email on this topic on October 28th with a similar recommendation.  We agree with Wayne’s assessment and request for information below.

Doug

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Wayne Thayer
Sent: Friday, November 6, 2015 12:31 PM
To: Bruce Morton <bruce.morton at entrust.com<mailto:bruce.morton at entrust.com>>; Jody Cloutier <jodycl at microsoft.com<mailto:jodycl at microsoft.com>>; public at cabforum.org<mailto:public at cabforum.org>
Cc: Magnus Nyström <mnystrom at microsoft.com<mailto:mnystrom at microsoft.com>>; Nazmus Sakib <mdsakib at microsoft.com<mailto:mdsakib at microsoft.com>>
Subject: Re: [cabfpub] Microsoft Proposed Updates to the SHA-1 Deprecation Timeline

Bruce’s comments on the risk of new issuance versus continued reliance on existing SHA-1 certs makes sense to me. Can someone from Microsoft (or Mozilla given that they are considering a similar policy change) respond to this question in the context of accelerating the deadline to stop trusting existing SHA-1 certificates?

Pulling the TLS deadline in by 7 months significantly increases the number of out-of-band replacements required because we have continued allowing the issuance of SHA-1 certs that expire prior to 2017 for the past 2 year since the original SHA-1 policy was announced. It also creates confusion since the 2017 deadline has been widely publicized. I’d like to gain a better understanding of the specific risk being mitigated by distrusting existing certificates sooner since it will cause significant pain for CAs and our customers if implemented.

Thanks,

Wayne

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Bruce Morton
Sent: Friday, October 30, 2015 8:12 AM
To: Jody Cloutier <jodycl at microsoft.com<mailto:jodycl at microsoft.com>>; public at cabforum.org<mailto:public at cabforum.org>
Cc: Magnus Nyström <mnystrom at microsoft.com<mailto:mnystrom at microsoft.com>>; Nazmus Sakib <mdsakib at microsoft.com<mailto:mdsakib at microsoft.com>>
Subject: Re: [cabfpub] Microsoft Proposed Updates to the SHA-1 Deprecation Timeline

Jody,

The Baseline Requirements state “Effective 1 January 2016, CAs MUST NOT issue any new Subscriber certificates or Subordinate CA certificates using the SHA‐1 hash algorithm.” This appears to be more restrictive than your proposal below and will mitigate collision attacks in about 2 months from now.

I do not understand what the issue with SHA-1 signed certificates which are already issued. They would no longer be subject to a collision attack and there appears to be no risk of a preimage/second-preimage attack during their validity period. I do not think the latest SHA-1 news has changed this understanding. I think your policy respects the issue with preimage for other certificates and see no reason why it shouldn’t be extended to SSL/TLS certificates. Nevertheless, we do understand that Windows will deprecate SHA-1 starting 1 January 2017 and this information has been provided to most Subscribers.

Thanks, Bruce.

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Jody Cloutier
Sent: Wednesday, October 28, 2015 4:20 PM
To: public at cabforum.org<mailto:public at cabforum.org>
Cc: Magnus Nyström <mnystrom at microsoft.com<mailto:mnystrom at microsoft.com>>; Nazmus Sakib <mdsakib at microsoft.com<mailto:mdsakib at microsoft.com>>
Subject: [cabfpub] Microsoft Proposed Updates to the SHA-1 Deprecation Timeline
Importance: High

In light of the recent news about potential SHA-1 vulnerabilities, Microsoft is considering changes to its SHA-1 deprecation policy, and we would like industry feedback on the ramification.

Generally, Microsoft proposes that it will move in the previously-announced January 1, 2017 date at which Windows products would no longer trust SHA-1 certificates issued by roots in the Trusted Root Program and signed with the Mark of the Web. This proposal would change that date to June 1, 2016.

The summary of changes are as follows:


1.     CAs should move to issuing SHA-2 for signing OCSP responses for SHA-2 SSL certificates. Windows will no longer trust OCSP responses that use SHA-1 for their signature if the corresponding certificate had the Must Staple extension after January 1, 2016. Windows will no longer trust OCSP responses that use SHA-1 for any SSL certificates after June 1, 2016.

2.     Windows will no longer trust files with the Mark of the Web attribute that are timestamped with a SHA-1 signature hash after 6/1/2016 on Windows 10 systems.

3.     CAs may not issue SHA-1 certificates after December 31, 2016 (this is more restrictive than the current CAB Forum guidelines)

Certificate Type

Windows Behavior

Microsoft Policy

TLS certificates

Certificates signed with SHA-1 will be Blocked after 1/1/2017

[Update] Certificates signed with SHA-1 will be Blocked after 6/1/2016

CAs must move all new certs to
SHA-2 after 1/1/2016

[Update] CAs must move all new certs to SHA-2 immediately

Code signing certificates

On Win 7 and above, blocked on 1/1/2020 if time stamped before 1/1/2016, otherwise, blocked after 1/1/2016 for Mark of the Web files.

[Update] On Win 7 and above, blocked on 1/1/2017 if time stamped before 1/1/2016, otherwise, blocked after 1/1/2016 for Mark of the Web files.

SmartScreen data may be used to allow certificates with good reputation


CAs should issue new code signing certs with SHA-1 after 1/1/2016 only for developers
targeting
Vista/2008, otherwise, move all new certs to SHA2

S/MIME certificates

No OS specific policies. Application policies.

CAs are recommended to move to SHA-2

Time-stamping certificates

No changes until SHA-1 preimage is possible

CAs must issue new TS certs with SHA-1 after 1/1/2016 only for developers targeting
Vista/2008, otherwise, move all new certs to SHA2

OCSP signing and CRL signing certificates

No changes until SHA-1 preimage is possible

No changes until SHA-1 preimage is possible

OCSP signatures

On Windows 10 and above for certificates with the Must Staple extension, SHA-1 signatures will not be accepted after 1/1/2016

On Windows 10 and above, SHA-1 signatures will not be accepted for any SSL certificate after 1/1/2017

[Update] Windows will no longer trust OCSP responses that use SHA-1 for their signature if the corresponding certificate had the Must Staple extension after January 1, 2016. Windows will no longer trust OCSP responses that use SHA-1 for any SSL certificates after June 1, 2016.


CAs should move to using SHA-2 starting 1/1/2016 for SHA-2 SSL certificates.

CAs should prepare to move to SHA-2 for all SSL certificates by 1/1/2017

[Update] CAs should move to issuing SHA-2 for signing OCSP responses for SHA-2 SSL certificates.

CRL signatures

No changes until SHA-1 preimage is possible

No changes until SHA-1 preimage is possible

Code signing signatures

No changes until SHA-1 preimage is possible

No changes until SHA-1 preimage is possible

Time-stamp signatures

On Win 10 and above, blocked on 1/1/2017 for Mark of the Web files.

[Update] On Win 10 and above, blocked on 6/1/2016 for Mark of the Web files.


CAs should move to using SHA-2 starting 1/1/2016


Microsoft is asking for feedback from Forum members on the implications to the industry should we move forward with these changes. Please provide comments before Monday, November 2, 2015 by replying to this mail.

Thank you,

Jody Cloutier
Senior Security Program Manager
Microsoft Trusted Root Certificate Program<http://aka.ms/rootcert>
[cid:image001.png at 01D066D6.E5E48E60]<sip:jodycl at microsoft.com>[cid:image002.png at 01D066D6.E5E48E60]<tel:+1%20(425)%20705-7566>[cid:image003.png at 01D066D6.E5E48E60]<mailto:jodycl at microsoft.com>
[https://brandtools.microsoft.com/Style%20Library/BT/Images/MicrosoftMasterLogo.png]<http://microsoft.com/>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151106/ed46504c/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3208 bytes
Desc: image001.png
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151106/ed46504c/attachment-0012.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 3340 bytes
Desc: image002.png
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151106/ed46504c/attachment-0013.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 3315 bytes
Desc: image003.png
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151106/ed46504c/attachment-0014.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1181 bytes
Desc: image004.png
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151106/ed46504c/attachment-0015.png>


More information about the Public mailing list