[cabfpub] CAB Forum Policy Change request

[Sigbjørn Vik]

> This message is from the AT&T Services, Inc., Chief Security Office,
> Data Protection Team.

> 1) Symantec’s proposal involves changing thousands of SHA-1 certificates
> that will translate to a high volume of unplanned operations and
> workload churn.

There is no need to replace certificates just because you got a new one.
I fail to see why the following wouldn't work: Get new certificates now,
and store them safely. Do not do anything with the existing
certificates. When you would otherwise replace a certificate with a new
one, instead of getting one issued, take a pre-issued one from your
secure storage and put that on your server.

> We request a policy change allowing Symantec to continue issuing
> less-than-one-year SHA-1 certificates after 12/31/2015 under their
> public trusted PKI hierarchy to support our remaining applications
> scheduled for SHA-256 adoption or retirement in 2016.

The CABForum is working for a more secure web. This includes making
sunset periods for insecure methods. Whatever we decide to sunset, there
will always be someone struggling to meet the deadline, and a lot of
businesses moving at the last possible date. If we allow extensions of
the deadline, there will be even more problems next time, as businesses
will expect it to be moveable should they run into problems. When to
migrate is a business decision, by extending the deadline now, we reward
those making insecure decisions and punish those pushing the security of
the web forwards. Based on this, Opera is opposed to extending the deadline.

Even if you get a CA to issue SHA-1 certificates in 2016, that doesn't
guarantee you that browsers would accept such certificates, browsers
will still only allow certificates they believe are in their user's
interest.

-- 
Sigbjørn Vik
Opera Software