[cabfpub] SHA-1 Wiki Posted

Jody Cloutier jodycl at microsoft.com
Tue Sep 29 22:35:33 UTC 2015

Hi Ryan,

I talked to Sakib about this, and we decided to change "CAs MUST sign OCSP responses with SHA-2 only" to "CAs SHOULD sign OCSP responses with SHA-2 only" on January 1, 2016, because Windows will not actually enforce on this date.

Check out the update.


From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Friday, September 25, 2015 4:10 PM
To: Jody Cloutier <jodycl at microsoft.com>
Cc: public at cabforum.org; Microsoft Trusted Root Certificate Program <trustcert at microsoft.com>
Subject: Re: [cabfpub] SHA-1 Wiki Posted

Thanks for publishing this, Jody.

When reading through, I noticed some inconsistency, so it might help to clarify.

Under Item 7 of Enforcement in General ( http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#Enforcement_in_General ), it says
"Microsoft requires CAs to start issuing new OCSP signatures using only the SHA-2 algorithm after January 1, 2016 for SHA-2 SSL certificates"

Under Enforcement Details, http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#H1_B, for OCSP signatures it says
"CAs should move to using SHA-2 starting 1/1/2016 for SHA-2 SSL certificates."

While under Schedule, http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#Schedule
For OCSP signatures, on the 1/1/2016 date, it says
"CAs MUST sign OCSP responses with SHA-2 only"

I'm guessing the 2/3 majority here wins, which is that beginning 2016/1/1, all SHA-2 signed SSL certificates MUST have their OCSP responses signed with a SHA-2 signature algorithm. Is that correct?

The confusion that arises is the somewhat weaker language in the Details section ("should move"), although admittedly, I'm accustomed to IETF language where "SHOULD" is more aligned with wishing on rainbows than actual reality :)

On Fri, Sep 25, 2015 at 9:36 AM, Jody Cloutier <jodycl at microsoft.com<mailto:jodycl at microsoft.com>> wrote:
Microsoft published a new Wiki page that addresses many of the questions this audience has asked regarding SHA-1. Please see http://aka.ms/sha1 for more information. Our goal is to add to the FAQ section as new questions come up.

Please let me know if you have any questions.

Jody Cloutier
Senior Security Program Manager
Microsoft Trusted Root Certificate Program<http://aka.ms/rootcert>
Operating Systems Group  Global Risk Management and Compliance
[cid:image001.png at 01D066D6.E5E48E60][cid:image002.png at 01D066D6.E5E48E60]<tel:+1%20(425)%20705-7566>[cid:image003.png at 01D066D6.E5E48E60]<mailto:jodycl at microsoft.com>

Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150929/6e31e021/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3208 bytes
Desc: image001.png
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150929/6e31e021/attachment-0012.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 3340 bytes
Desc: image002.png
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150929/6e31e021/attachment-0013.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 3315 bytes
Desc: image003.png
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150929/6e31e021/attachment-0014.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1181 bytes
Desc: image004.png
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150929/6e31e021/attachment-0015.png>

More information about the Public mailing list