[cabfpub] Microsoft Adjusts the SHA-1 Deprecation Date

Rob Stradling rob.stradling at comodo.com
Tue Apr 26 14:53:50 UTC 2016

On 22/04/16 17:46, Jody Cloutier wrote:
> Last year, Microsoft announced that, effective January 10, 2017, all
> Windows products would stop accepting as valid SHA-1 certificates issued
> from publicly-trusted CAs. Many of our partners in the industry told us
> that, because of the end of the year holiday lockdown periods, a January
> date was effectively a November date. Because of this, Microsoft has
> reconsidered it’s position, and we have decided to move the effective
> date of the SHA-1 deprecation to *Tuesday, February 14, 2017*.  Please
> see http://aka.ms/sha1 for more information.

Hi Jody.

Are you aware that your "Microsoft Update Secure Server CA 1" 
intermediate CA, which chains to a trusted root in the Microsoft Trusted 
Root Program, contravened Microsoft's own policy [1] by issuing 3 SHA-1 
certs last month?


These 3 SHA-1 certificates are valid until June 2017 and are currently 
installed.  I hope you plan to replace them with SHA-2 certs before Feb 
14th 2017!  (I'm guessing that Windows Update will break if you don't!)

[1] https://aka.ms/sha1
"Enforcement details
Certificate Type .. Microsoft Policy
TLS certificates .. CAs must move all new certs to SHA-2 after 1/1/2016"

P.S. I'm not going to ask if Microsoft intends to kick Microsoft out of 
the Microsoft Trusted Root Program for committing this transgression.  ;-)

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list