[cabfpub] Ballot 152 - Issuance of SHA-1 certificates through 2016

Geoff Keating geoffk at apple.com
Wed Oct 14 21:03:57 UTC 2015


> On 14 Oct 2015, at 10:29 AM, Gervase Markham <gerv at mozilla.org> wrote:
> 
> On 12/10/15 19:19, Rick Andrews wrote:
>> Symantec and the endorsers withdraw this ballot.
> 
> I'm not sad to see this ballot go, but there was one aspect of it which
> seems worth preserving:
> 
>> Effective 1 January 2016, CAs MUST NOT issue Subscriber Certificates 
>> utilizing the SHA‐1 algorithm with an Expiry Date greater than 1 
>> January 2017. Any SHA-1 Subscriber Certificates issued after 1 
>> January 2016 must be signed by a Subordinate CA certificate with a 
>> basicConstraints pathLen=0.”.
> 
> If this provision is acceptable as part of the larger change, it should
> be acceptable on its own. While browsers are able to reject such certs,
> and all major ones have stated that they will do so, forbidding their
> issuance would reduce the number of surprised or upset website owners on
> 1st January 2017.
> 
> So I am minded to propose a ballot containing only this language. Comments?

The current position is:
> 
> Effective 1 January 2016, CAs MUST NOT issue any new Subscriber certificates or Subordinate CA certificates using the SHA‐1 hash algorithm. CAs MAY continue to sign certificates to verify OCSP responses using SHA1 until 1 January 2017. This Section 7.1.3 does not apply to Root CA or CA cross certificates. CAs MAY continue to use their existing SHA‐1 Root Certificates. SHA‐2 Subscriber certificates SHOULD NOT chain up to a SHA‐1 Subordinate CA Certificate.
> 
> Effective 16 January 2015, CAs SHOULD NOT issue Subscriber Certificates utilizing the SHA‐1 algorithm with an Expiry Date greater than 1 January 2017 because Application Software Providers are in the process of deprecating and/or removing the SHA‐1 algorithm from their software, and they have communicated that CAs and Subscribers using such certificates do so at their own risk. 
> 

so this would change the second paragraph to say ‘Effective 1 January 2016, CAs MUST NOT…’, correct?  But that’s pointless, because the first paragraph already says that.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151014/cb16c164/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151014/cb16c164/attachment-0001.p7s>


More information about the Public mailing list