[cabfpub] Microsoft Proposed Updates to the SHA-1 Deprecation Timeline

Doug Beattie doug.beattie at globalsign.com
Wed Oct 28 21:03:58 UTC 2015

Hi Jody,

I agree with Eddy.  We "just" finalized and pushed out the SHA-1 requirements and set expectations accordingly and this would disrupt the current SHA-1 ecosystem with a 7-month change in the deprecation date (January back to June), also, June 1 is only 7 months away.  Some customers are already struggling with complying with the current requirements. With the certificate serial number entropy and the fact we're not issuing any SSL certificates after 12/31/2015 we should be sufficiently protected against the recent improvements in breaking some aspects of SHA-1.  It's another story if SHA-1 is suddenly broken and the date needs to be changed, but that hasn't happened <yet>.

We would endorse a coordinated push by all industry players to strongly encourage all users to migrate by 1 June.  As a CA we've been doing this for well over a year with very good success, but we're not at 100% conversion of the user base to SHA-2.  While I don't necessarily endorse this, browser vendors can always modify their UI treatment of SHA-1 certificates or hierarchies to further encourage web site owners to move to SHA-2 before the deprecation date.


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Eddy Nigg
Sent: Wednesday, October 28, 2015 4:36 PM
To: Jody Cloutier <jodycl at microsoft.com>; public at cabforum.org
Cc: Magnus Nyström <mnystrom at microsoft.com>; Nazmus Sakib <mdsakib at microsoft.com>
Subject: Re: [cabfpub] Microsoft Proposed Updates to the SHA-1 Deprecation Timeline

On 10/28/2015 10:20 PM, Jody Cloutier wrote:
In light of the recent news about potential SHA-1 vulnerabilities, Microsoft is considering changes to its SHA-1 deprecation policy, and we would like industry feedback on the ramification.

Generally, Microsoft proposes that it will move in the previously-announced January 1, 2017 date at which Windows products would no longer trust SHA-1 certificates issued by roots in the Trusted Root Program and signed with the Mark of the Web. This proposal would change that date to June 1, 2016.

I think this would result in major issues for many web site owners and the issuing CA since the plan called for the 2017 deadline AND....

1.      CAs may not issue SHA-1 certificates after December 31, 2016 (this is more restrictive than the current CAB Forum guidelines)

...I think this is crucial and will probably prevent the attack vectors on SHA1 as currently known. I believe that already issued SHA1 certificates should be save except in case it was possible to forge a hash on a certificate already by now.


Eddy Nigg, COO/CTO

StartCom Ltd.<http://www.startcom.org>


startcom at startcom.org<xmpp:startcom at startcom.org>


Join the Revolution!<http://blog.startcom.org>


Follow Me<http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151028/252fd0de/attachment-0003.html>

More information about the Public mailing list