[cabfpub] Proposal of a SHA-1 exception procedure

Andrew R. Whalley awhalley at google.com
Mon Jun 6 17:18:54 UTC 2016


To make commenting easier, I've converted the doc to Markdown and put it on


Pull requests most welcome.

I've incorporated the feedback from Eric about ensuring the list is CCed on
any response, and some typos he caught.

(For anybody who's looked at the PDF, the differences from that are minor
and shown here



On Fri, Jun 3, 2016 at 1:53 PM, Andrew R. Whalley <awhalley at google.com>

> Greetings,
> At the face to face meeting in Bilbao we heard there's still a need for
> new SHA-1 certs from some sectors, most notably the payment industry, to
> avoid outages of critical systems with real world impact.  We discussed if
> there was a way we might balance these cases against the vitally
> important need to ensure the security and safety of the public PKI.
> Please take a look at the proposed procedure, attached.  It outlines a way
> for CAs to request an exceptional SHA-1 issuance, including details which
> would help with a risk management decision.  It's not a guaranty that any
> such issuance would be acceptable, but provides a more structured approach
> than what's already occurred this year, e.g. with worldpay.
> I look forward to comments.
> Cheers,
> Andrew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160606/005e1627/attachment-0003.html>

More information about the Public mailing list