[cabfpub] Microsoft Proposed Updates to the SHA-1 Deprecation Timeline

Eddy Nigg eddy_nigg at startcom.org
Wed Oct 28 20:36:09 UTC 2015

On 10/28/2015 10:20 PM, Jody Cloutier wrote:
> In light of the recent news about potential SHA-1 vulnerabilities, 
> Microsoft is considering changes to its SHA-1 deprecation policy, and 
> we would like industry feedback on the ramification.
> Generally, Microsoft proposes that it will move in the 
> previously-announced January 1, 2017 date at which Windows products 
> would no longer trust SHA-1 certificates issued by roots in the 
> Trusted Root Program and signed with the Mark of the Web. *This 
> proposal would change that date to June 1, 2016.*

I think this would result in major issues for many web site owners and 
the issuing CA since the plan called for the 2017 deadline AND....

> 3.CAs may not issue SHA-1 certificates after December 31, 2016 (this 
> is more restrictive than the current CAB Forum guidelines)

...I think this is crucial and will probably prevent the attack vectors 
on SHA1 as currently known. I believe that already issued SHA1 
certificates should be save except in case it was possible to forge a 
hash on a certificate already by now.

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151028/3d529967/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151028/3d529967/attachment-0001.p7s>

More information about the Public mailing list