[cabfpub] Proposal of a SHA-1 exception procedure

Dean Coclin Dean_Coclin at symantec.com
Sun Jun 12 22:20:14 UTC 2016



Thank you for taking the time to formalize what was discussed in Bilbao. 

Regrettably, I was unable to attend the call last Thursday where I understand this was discussed in more depth. However, I believe the following are the action items:


1. Andrew to re-look at the questions to see if (a) are they all necessary, (b) can some be phrased differently and (c) would any additional questions be helpful?

2. There was extensive discussion about the necessity of all the questions. Rather than rehash that here (I guess we’ll see that in the minutes), I assume Andrew will address that in 1a above.

3. There was an unanswered question from Peter regarding audit findings which needs clarification from the browsers. Basically, the issuance of a SHA-1 certificate that went through this procedure would result in a qualified audit but it was my understanding from Bilbao that the CA should record the answers to the questions and cryptanalysis for review by their auditor. Browsers would then not consider any punitive action if the record was complete (as shown in the audit report). However, this is not documented in the procedure and I believe Peter (correctly) pointed out that CAs should expect something in writing here, otherwise there is no distinction between following and not following the procedure.


I’m hoping we can clarify these items on the list.




From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Andrew R. Whalley
Sent: Friday, June 03, 2016 4:54 PM
To: CABFPub <public at cabforum.org>
Subject: [cabfpub] Proposal of a SHA-1 exception procedure




At the face to face meeting in Bilbao we heard there's still a need for new SHA-1 certs from some sectors, most notably the payment industry, to avoid outages of critical systems with real world impact.  We discussed if there was a way we might balance these cases against the vitally important need to ensure the security and safety of the public PKI.


Please take a look at the proposed procedure, attached.  It outlines a way for CAs to request an exceptional SHA-1 issuance, including details which would help with a risk management decision.  It's not a guaranty that any such issuance would be acceptable, but provides a more structured approach than what's already occurred this year, e.g. with worldpay.


I look forward to comments.






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160612/88210d5b/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5723 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160612/88210d5b/attachment-0001.p7s>

More information about the Public mailing list