[cabfpub] Microsoft Proposed Updates to the SHA-1 Deprecation Timeline

Doug Beattie doug.beattie at globalsign.com
Thu Oct 29 18:22:26 UTC 2015

Microsoft should have pulled their root from their root store then (with sufficient warning).

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Thursday, October 29, 2015 1:56 PM
To: Wayne Thayer <wthayer at godaddy.com>
Cc: CABFPub <public at cabforum.org>; Magnus Nyström <mnystrom at microsoft.com>; Doug Beattie <doug.beattie at globalsign.com>; Nazmus Sakib <mdsakib at microsoft.com>
Subject: RE: [cabfpub] Microsoft Proposed Updates to the SHA-1 Deprecation Timeline

On Oct 29, 2015 10:51 AM, "Wayne Thayer" <wthayer at godaddy.com<mailto:wthayer at godaddy.com>> wrote:
> 8 bytes of entropy in the serialNumber field has been a requirement of Microsoft’s root program since 2013: http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0/revision/15.aspx

And yet a number of notable CAs have been failing that policy for some time.

As it is, it isn't an audited requirement (part of the BRs or WebTrust/ETSI), nor has it been followed since required (for example, one large CA is still a month away from complying), so the risk to platforms is still very real.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151029/dbe61568/attachment-0003.html>

More information about the Public mailing list