[cabfpub] Microsoft Adjusts the SHA-1 Deprecation Date
Jody Cloutier
jodycl at microsoft.com
Tue Apr 26 21:11:47 UTC 2016
I was not, but I'll look into it.
-----Original Message-----
From: Rob Stradling [mailto:rob.stradling at comodo.com]
Sent: Tuesday, April 26, 2016 7:54 AM
To: Jody Cloutier <jodycl at microsoft.com>
Cc: CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] Microsoft Adjusts the SHA-1 Deprecation Date
On 22/04/16 17:46, Jody Cloutier wrote:
> Last year, Microsoft announced that, effective January 10, 2017, all
> Windows products would stop accepting as valid SHA-1 certificates
> issued from publicly-trusted CAs. Many of our partners in the industry
> told us that, because of the end of the year holiday lockdown periods,
> a January date was effectively a November date. Because of this,
> Microsoft has reconsidered it's position, and we have decided to move
> the effective date of the SHA-1 deprecation to *Tuesday, February 14,
> 2017*. Please see http://aka.ms/sha1 for more information.
Hi Jody.
Are you aware that your "Microsoft Update Secure Server CA 1"
intermediate CA, which chains to a trusted root in the Microsoft Trusted Root Program, contravened Microsoft's own policy [1] by issuing 3 SHA-1 certs last month?
Details:
https://crt.sh/?cablint=211&iCAID=9126&minNotBefore=2016-01-01
These 3 SHA-1 certificates are valid until June 2017 and are currently installed. I hope you plan to replace them with SHA-2 certs before Feb 14th 2017! (I'm guessing that Windows Update will break if you don't!)
[1] https://aka.ms/sha1
"Enforcement details
Certificate Type .. Microsoft Policy
TLS certificates .. CAs must move all new certs to SHA-2 after 1/1/2016"
P.S. I'm not going to ask if Microsoft intends to kick Microsoft out of the Microsoft Trusted Root Program for committing this transgression. ;-)
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list