[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certif icates
realsky at cht.com.tw
Sat Feb 4 03:42:36 UTC 2017
From:Ryan Sleevi via Public<public at cabforum.org>
To:Geoff Keating<geoffk at apple.com>
Cc:Ryan Sleevi<sleevi at google.com>,CA/Browser Forum Public Discussion List<public at cabforum.org>
Date: Sat, 04 Feb 2017 09:37:51
Subject: Re: [cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates
On Fri, Feb 3, 2017 at 4:35 PM, Geoff Keating <geoffk at apple.com> wrote:
Weren’t most of the long-lived certificates that caused problems those issued before the current limit of ~3 years?
Nope, not in our experience. I'm hoping Jody can share his graph, but much of our 'breakage' experience was from sites where the CA waited to stop issuing SHA-1 certs until it was explicitly forbidden - that is, they did not even default to SHA-256, or made it considerably *more* difficult for their customers to obtain SHA-256 signed certs
Ryan, You said you hope Jody can share his graph. Do you mean the discussion in last Fall Redmond F2F meeting as the minute below in Mozilla's news section?
Side note based on comments from Microsoft
•MS shows 20M sites with SHA-1 where as FF counts traffic
•Why do this now vs. waiting a year, that’s the rush?
•Wants to work with other browsers on timing. Google might have different pain thresholds. Goal is to figure out we get proper user feedback and that stakeholders are not screaming.
The no-SHA-1 requirement came in force January 2016 - not 2015. We passed the Ballot in 2015, following Microsoft's announced deprecation in Nov 12, 2013 - https://technet.microsoft.com/en-us/library/security/2880823.aspx
The SHA-1 sunset ballot was passed on 16 October 2014, not 2015.
I think most CAs offer their cusomers to migrate SHA-1 SSL certificates to SHA 256 SSL certificates for free. Try their best to call out and e-mail to the customers to encourage them.
Chunghwa Telecom Co. Ltd.
Public mailing list
Public at cabforum.org
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public