[cabfpub] Ballot 152 - Issuance of SHA-1 certificates through 2016

Gervase Markham gerv at mozilla.org
Wed Oct 14 17:29:52 UTC 2015

On 12/10/15 19:19, Rick Andrews wrote:
> Symantec and the endorsers withdraw this ballot.

I'm not sad to see this ballot go, but there was one aspect of it which
seems worth preserving:

> Effective 1 January 2016, CAs MUST NOT issue Subscriber Certificates 
> utilizing the SHA‐1 algorithm with an Expiry Date greater than 1 
> January 2017. Any SHA-1 Subscriber Certificates issued after 1 
> January 2016 must be signed by a Subordinate CA certificate with a 
> basicConstraints pathLen=0.”.

If this provision is acceptable as part of the larger change, it should
be acceptable on its own. While browsers are able to reject such certs,
and all major ones have stated that they will do so, forbidding their
issuance would reduce the number of surprised or upset website owners on
1st January 2017.

So I am minded to propose a ballot containing only this language. Comments?


More information about the Public mailing list