[cabfpub] Posted on behalf of customer

Peter Bowen pzb at amzn.com
Fri Dec 16 16:52:10 UTC 2016

> On Dec 16, 2016, at 7:22 AM, Gervase Markham via Public <public at cabforum.org> wrote:
> On 16/12/16 14:36, Tim Shirley wrote:
>> Only if they were issued in 2016.  As of January 16, 2015 the BRs
>> said CAs SHOULD NOT issue SHA-1 certificates valid after 1/1/17, but
>> it was not fully prohibited until 1/1/16.
> Yes, you are correct. The opportunity for the far-sighted to obtain the
> certs they needed extended until the end of 2015, not the end of 2014.
> The actual prohibitions on or UI warnings against such certificates were
> encoded directly in browsers, not in the BRs.

Based on when various changes went in to the BRs, we can expect to see SHA-1 certs up to various points that are not in violation of the BRs:

Pre-BR: 2022-06-30 (assuming 10 year validity period), or even later as there was no max AFAIK
Original BR: 2020-03-31 (60 month validity period for certs issued before 2015-04-01)
39 month rule: 2019-03-31 (39 months for certs issued on 2015-12-31)

Yes, some clients might choose to not trust these, but all could exist without any BR violation and without any browser-granted exception.


More information about the Public mailing list