[cabfpub] SHA-1 Wiki Posted

Doug Beattie doug.beattie at globalsign.com
Wed Sep 30 05:19:05 MST 2015


Hi Ryan,

We agree with the updates Jody made as this allows CAs to continue supporting SHA-1 signed OCSP and CRLs for our SHA-1 CAs “indefinitely”.  While Windows 10 and other clients may start to reject SHA-1 signed OCSP responses, those customer using SHA-1 will continue to function within their ecosystem until the certificates expire or the CA certificate is revoked.

I can’t find support for your statement “SHA-2 is required *and* enforced on 2017/01/01” as it relates to OCSP signatures.  I see that MS may not trust them, but I don’t see a requirement that CAs must not use SHA-1 after 1/1/2017.  Did I miss something in the MS article?

Doug



From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
Sent: Tuesday, September 29, 2015 6:49 PM
To: Jody Cloutier <jodycl at microsoft.com>
Cc: Microsoft Trusted Root Certificate Program <trustcert at microsoft.com>; public at cabforum.org
Subject: Re: [cabfpub] SHA-1 Wiki Posted




Jody,

Thanks for the quick response. I realize there's two parts to this - what the Microsoft root program expects, and what Windows will enforce. It's perfectly reasonable to expect something that isn't (yet) enforced - the Baseline Requirements are a great example of collaborating on setting expectations, even if we don't all programatically enforce them (e.g. validity period ranges of certificates, which only Chrome enforces, even though all of us expect it by virtue of the BRs)

With the new update, I want to make sure I'm reading this correctly:

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#Enforcement_in_General
Under Bullet 7 (typod OSSP, btw), the Microsoft *policy* is that OCSP signatures must use SHA-2 beginning 2016/01/01

This is "Microsoft requires CAs to start issuing new OCSP signatures using only the SHA-2 algorithm after January 1, 2016 for SHA-2 SSL certificates"

This seems to conflict with Enforcement Details section, that describes the difference between Windows Behaviour and Microsoft Policy ( http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#H1_B )

which is that Microsoft policy is that CAs should move to SHA-2 (but presumably, if they should, it's not that they must). This seems consistent with your updated timeline under the Schedule section, which explicitly calls it out as SHOULD.

So I guess the ambiguity is whether the "requires" in Enforcement in General is a MUST or if it's a SHOULD.

I think the rest is clear (SHA-2 is required *and* enforced starting 2016/01/01 for anything with Must-Staple; SHA-2 is required *and* enforced on 2017/01/01), but it's a question about whether SHA-2 is required *but not* enforced starting 2016/01/01 - Schedule and Enforcement are clear that it's not enforced, but "Enforcement in General" is inconsistent with them both with regards to requirements of Microsoft Policy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150930/d46923f6/attachment.html 


More information about the Public mailing list