[cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016
Rick_Andrews at symantec.com
Thu Oct 27 05:58:26 MST 2016
Vista and Server 2008.
> On Oct 27, 2016, at 3:19 AM, Rob Stradling via Public <public at cabforum.org> wrote:
>> On 27/10/16 09:05, Gervase Markham via Public wrote:
>>> On 26/10/16 21:40, Wayne Thayer via Public wrote:
>>> Moreover, without formal approval of this rule change, every CA that
>>> wishes to maintain SHA-1 OCSP signing capability is left with a
>>> dilemma - do I assume the ballot will eventually pass, or do I cram
>>> in a ceremony to create a long-lived SHA-1 responder certificate
>>> before the deadline?
>> Would a straw poll help to ease that fear? But three browsers already
>> support this, and I can't see many CAs opposing it.
> Please could we first establish precisely _why_ any CA needs to sign any
> further OCSP responses or OCSP responder certs with SHA-1 ?
> [See my question to Rick about old versions of Windows]
> Depending on Rick's answer, I may have an alternative technical proposal
> (that won't require further SHA-1 signatures).
> If it turns out that there's no actual technical need for this ballot,
> then I oppose it.
>>> I accept that neither of these reasons amount to a crisis worthy of
>>> throwing the Forum rulebook out the window. I do think that the
>>> discussion has been helpful in highlighting what might be an
>>> inconsistency between the bylaws and the IPR policy, and to serve as
>>> an example of the problem with having a 50+ day balloting process.
>>> The current situation is unique, but I'll be surprised if it's the
>>> last time that we're looking for a way to "rush" through a ballot.
>> Quite so. See my points earlier about perhaps updating the process so
>> the formal vote happens beforehand, but the change is held in abeyance
>> pending the completion of IPR review. That way, CAs can at least have
>> certainty about what the vote result is, even if they don't have
>> certainty about what an IPR review might turn up.
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
> Public mailing list
> Public at cabforum.org
More information about the Public