[cabfpub] SHA-1 Wiki Posted

Ryan Sleevi sleevi at google.com
Tue Sep 29 22:49:13 UTC 2015


On Tue, Sep 29, 2015 at 3:35 PM, Jody Cloutier <jodycl at microsoft.com> wrote:

> Hi Ryan,
>
>
>
> I talked to Sakib about this, and we decided to change "CAs MUST sign OCSP
> responses with SHA-2 only" to "CAs SHOULD sign OCSP responses with SHA-2
> only" on January 1, 2016, because Windows will not actually enforce on this
> date.
>
>
>
> Check out the update.
>
>
>
> Jody
>
>
>


Jody,

Thanks for the quick response. I realize there's two parts to this - what
the Microsoft root program expects, and what Windows will enforce. It's
perfectly reasonable to expect something that isn't (yet) enforced - the
Baseline Requirements are a great example of collaborating on setting
expectations, even if we don't all programatically enforce them (e.g.
validity period ranges of certificates, which only Chrome enforces, even
though all of us expect it by virtue of the BRs)

With the new update, I want to make sure I'm reading this correctly:

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#Enforcement_in_General
Under Bullet 7 (typod OSSP, btw), the Microsoft *policy* is that OCSP
signatures must use SHA-2 beginning 2016/01/01

This is "Microsoft requires CAs to start issuing new OCSP signatures using
only the SHA-2 algorithm after January 1, 2016 for SHA-2 SSL certificates"

This seems to conflict with Enforcement Details section, that describes the
difference between Windows Behaviour and Microsoft Policy (
http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#H1_B
)

which is that Microsoft policy is that CAs should move to SHA-2 (but
presumably, if they should, it's not that they must). This seems consistent
with your updated timeline under the Schedule section, which explicitly
calls it out as SHOULD.

So I guess the ambiguity is whether the "requires" in Enforcement in
General is a MUST or if it's a SHOULD.

I think the rest is clear (SHA-2 is required *and* enforced starting
2016/01/01 for anything with Must-Staple; SHA-2 is required *and* enforced
on 2017/01/01), but it's a question about whether SHA-2 is required *but
not* enforced starting 2016/01/01 - Schedule and Enforcement are clear that
it's not enforced, but "Enforcement in General" is inconsistent with them
both with regards to requirements of Microsoft Policy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150929/4ccba281/attachment-0003.html>


More information about the Public mailing list