[cabfpub] Microsoft Adjusts the SHA-1 Deprecation Date

Jody Cloutier jodycl at microsoft.com
Tue Apr 26 21:11:47 UTC 2016

I was not, but I'll look into it. 

-----Original Message-----
From: Rob Stradling [mailto:rob.stradling at comodo.com] 
Sent: Tuesday, April 26, 2016 7:54 AM
To: Jody Cloutier <jodycl at microsoft.com>
Cc: CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] Microsoft Adjusts the SHA-1 Deprecation Date

On 22/04/16 17:46, Jody Cloutier wrote:
> Last year, Microsoft announced that, effective January 10, 2017, all 
> Windows products would stop accepting as valid SHA-1 certificates 
> issued from publicly-trusted CAs. Many of our partners in the industry 
> told us that, because of the end of the year holiday lockdown periods, 
> a January date was effectively a November date. Because of this, 
> Microsoft has reconsidered it's position, and we have decided to move 
> the effective date of the SHA-1 deprecation to *Tuesday, February 14, 
> 2017*.  Please see http://aka.ms/sha1 for more information.

Hi Jody.

Are you aware that your "Microsoft Update Secure Server CA 1" 
intermediate CA, which chains to a trusted root in the Microsoft Trusted Root Program, contravened Microsoft's own policy [1] by issuing 3 SHA-1 certs last month?


These 3 SHA-1 certificates are valid until June 2017 and are currently installed.  I hope you plan to replace them with SHA-2 certs before Feb 14th 2017!  (I'm guessing that Windows Update will break if you don't!)

[1] https://aka.ms/sha1
"Enforcement details
Certificate Type .. Microsoft Policy
TLS certificates .. CAs must move all new certs to SHA-2 after 1/1/2016"

P.S. I'm not going to ask if Microsoft intends to kick Microsoft out of the Microsoft Trusted Root Program for committing this transgression.  ;-)

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list