[cabfpub] SHA-1 Wiki Posted

Ryan Sleevi sleevi at google.com
Fri Sep 25 23:09:40 UTC 2015


Thanks for publishing this, Jody.

When reading through, I noticed some inconsistency, so it might help to
clarify.

Under Item 7 of Enforcement in General (
http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#Enforcement_in_General
), it says

> "Microsoft requires CAs to start issuing new OCSP signatures using only
> the SHA-2 algorithm after January 1, 2016 for SHA-2 SSL certificates"


Under Enforcement Details,
http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#H1_B,
for OCSP signatures it says

> "CAs should move to using SHA-2 starting 1/1/2016 for SHA-2 SSL
> certificates."


While under Schedule,
http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#Schedule

For OCSP signatures, on the 1/1/2016 date, it says

> "CAs MUST sign OCSP responses with SHA-2 only"


I'm guessing the 2/3 majority here wins, which is that beginning 2016/1/1,
all SHA-2 signed SSL certificates MUST have their OCSP responses signed
with a SHA-2 signature algorithm. Is that correct?

The confusion that arises is the somewhat weaker language in the Details
section ("should move"), although admittedly, I'm accustomed to IETF
language where "SHOULD" is more aligned with wishing on rainbows than
actual reality :)


On Fri, Sep 25, 2015 at 9:36 AM, Jody Cloutier <jodycl at microsoft.com> wrote:

> Microsoft published a new Wiki page that addresses many of the questions
> this audience has asked regarding SHA-1. Please see http://aka.ms/sha1
> for more information. Our goal is to add to the FAQ section as new
> questions come up.
>
>
>
> Please let me know if you have any questions.
>
>
>
>
>
> *Jody Cloutier*
>
> *Senior Security Program Manager*
>
> *Microsoft Trusted Root Certificate Program* <http://aka.ms/rootcert>
>
> *O*perating *S*ystems *G*roup  *G*lobal *R*isk Management and *C*ompliance
>
> [image: cid:image001.png at 01D066D6.E5E48E60][image:
> cid:image002.png at 01D066D6.E5E48E60] <+1%20(425)%20705-7566>[image:
> cid:image003.png at 01D066D6.E5E48E60] <jodycl at microsoft.com>
>
> [image:
> https://brandtools.microsoft.com/Style%20Library/BT/Images/MicrosoftMasterLogo.png]
> <http://microsoft.com/>
>
>
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150925/25fab032/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 3340 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150925/25fab032/attachment-0012.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 3315 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150925/25fab032/attachment-0013.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1181 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150925/25fab032/attachment-0014.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3208 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150925/25fab032/attachment-0015.png>


More information about the Public mailing list