[cabfpub] Microsoft Adjusts the SHA-1 Deprecation Date
Rob Stradling
rob.stradling at comodo.com
Tue Apr 26 14:53:50 UTC 2016
On 22/04/16 17:46, Jody Cloutier wrote:
> Last year, Microsoft announced that, effective January 10, 2017, all
> Windows products would stop accepting as valid SHA-1 certificates issued
> from publicly-trusted CAs. Many of our partners in the industry told us
> that, because of the end of the year holiday lockdown periods, a January
> date was effectively a November date. Because of this, Microsoft has
> reconsidered it’s position, and we have decided to move the effective
> date of the SHA-1 deprecation to *Tuesday, February 14, 2017*. Please
> see http://aka.ms/sha1 for more information.
Hi Jody.
Are you aware that your "Microsoft Update Secure Server CA 1"
intermediate CA, which chains to a trusted root in the Microsoft Trusted
Root Program, contravened Microsoft's own policy [1] by issuing 3 SHA-1
certs last month?
Details:
https://crt.sh/?cablint=211&iCAID=9126&minNotBefore=2016-01-01
These 3 SHA-1 certificates are valid until June 2017 and are currently
installed. I hope you plan to replace them with SHA-2 certs before Feb
14th 2017! (I'm guessing that Windows Update will break if you don't!)
[1] https://aka.ms/sha1
"Enforcement details
Certificate Type .. Microsoft Policy
TLS certificates .. CAs must move all new certs to SHA-2 after 1/1/2016"
P.S. I'm not going to ask if Microsoft intends to kick Microsoft out of
the Microsoft Trusted Root Program for committing this transgression. ;-)
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list