[cabfpub] Ballot 152 - Issuance of SHA-1 certificates through 2016

Richard Barnes rbarnes at mozilla.com
Wed Oct 14 21:06:04 UTC 2015

I think the idea would be to take the SHOULD NOT from that second paragraph
and make it a MUST NOT.

Sent from my iPhone.  Please excuse brevity.

On Oct 14, 2015, at 14:04, Geoff Keating <geoffk at apple.com> wrote:

On 14 Oct 2015, at 10:29 AM, Gervase Markham <gerv at mozilla.org> wrote:

On 12/10/15 19:19, Rick Andrews wrote:

Symantec and the endorsers withdraw this ballot.

I'm not sad to see this ballot go, but there was one aspect of it which
seems worth preserving:

Effective 1 January 2016, CAs MUST NOT issue Subscriber Certificates
utilizing the SHA‐1 algorithm with an Expiry Date greater than 1
January 2017. Any SHA-1 Subscriber Certificates issued after 1
January 2016 must be signed by a Subordinate CA certificate with a
basicConstraints pathLen=0.”.

If this provision is acceptable as part of the larger change, it should
be acceptable on its own. While browsers are able to reject such certs,
and all major ones have stated that they will do so, forbidding their
issuance would reduce the number of surprised or upset website owners on
1st January 2017.

So I am minded to propose a ballot containing only this language. Comments?

The current position is:

Effective 1 January 2016, CAs MUST NOT issue any new Subscriber
certificates or Subordinate CA certificates using the SHA‐1 hash algorithm.
CAs MAY continue to sign certificates to verify OCSP responses using SHA1
until 1 January 2017. This Section 7.1.3 does not apply to Root CA or CA
cross certificates. CAs MAY continue to use their existing SHA‐1 Root
Certificates. SHA‐2 Subscriber certificates SHOULD NOT chain up to a SHA‐1
Subordinate CA Certificate.

Effective 16 January 2015, CAs SHOULD NOT issue Subscriber Certificates
utilizing the SHA‐1 algorithm with an Expiry Date greater than 1 January
2017 because Application Software Providers are in the process of
deprecating and/or removing the SHA‐1 algorithm from their software, and
they have communicated that CAs and Subscribers using such certificates do
so at their own risk.

so this would change the second paragraph to say ‘Effective 1 January 2016,
CAs MUST NOT…’, correct?  But that’s pointless, because the first paragraph
already says that.

Public mailing list
Public at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151014/fb0206e0/attachment-0003.html>

More information about the Public mailing list