[cabfpub] Ballot 152 - Issuance of SHA-1 certificates through 2016)

Gervase Markham gerv at mozilla.org
Tue Oct 20 07:31:14 UTC 2015

On 20/10/15 03:15, Dean Coclin wrote:
> Thanks to you and Jacob for providing the relevant information. I’ll be
> sure to pass it on.  Does anyone have anything else to add?

One thing that wasn't really clear in the discussions in Istanbul,
because the news of the new break broke and we never really clarified
it, is this: are these customers wanting simply a change in the CAB
Forum BRs, or are they also wanting the browser makers to change their
code (because for us, it would be a code change) to accept such
2016->2016 certificates?

It still remains an option for CAs to withdraw particular roots from
browsers, and so from BR compliance, before the end of the year, if they
are quick. Although that does raise a question for Ryan: how are the
following two scenarios different? A) CA withdraws a root from the
public root stores and then uses it to issue SHA-1. B) CA doesn't
withdraw such a root, but all browsers refuse to accept the issued SHA-1
certs. In both cases, the certs are not accepted by the browsers. In
fact, in case B), you could have a harder fail if you wanted.

I would also add a little bit to Ryan's points on the first mover
problem. If you have a single hard deadline when everything has to stop
- issuance and acceptance - history shows us that people do the thing
you don't want them to do right up to the deadline, and then complain
and ask for it to be moved so there can be a "more ordered transition".
A phased transition is what we now have - no issuance from Jan 1 2016,
no acceptance from Jan 1 2017. Moving back towards the "everything at
once" model runs, IMO, a greater risk of problems at the transition point.

My last point is one I made in Istanbul: it was obvious in 2007, when
the CAB Forum started, that issuing non-public certs from the same roots
as public certs was a bad idea, and it's even more obvious now. Any CA
still doing this for non-legacy deployments needs their head examining.


More information about the Public mailing list