[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certif icates
sleevi at google.com
Sat Feb 4 03:53:37 UTC 2017
On Fri, Feb 3, 2017 at 7:42 PM, realsky(CHT) <realsky at cht.com.tw> wrote:
> Ryan, You said you hope Jody can share his graph. Do you mean the
> discussion in last Fall Redmond F2F meeting as the minute below in
> Mozilla's news section?
> Side note based on comments from Microsoft
> •MS shows 20M sites with SHA-1 where as FF counts traffic
> •Why do this now vs. waiting a year, that’s the rush?
> •Wants to work with other browsers on timing. Google might have different
> pain thresholds. Goal is to figure out we get proper user feedback and that
> stakeholders are not screaming.
There were several graphs, but one of them examined the validity period of
the certificates they were seeing; that is, when do these certs naturally
As captured in the remark, the point was "Too many valid certs out there"
that were causing discomfort in disabling SHA-1, which would break them.
> The no-SHA-1 requirement came in force January 2016 - not 2015. We passed
> the Ballot in 2015, following Microsoft's announced deprecation in Nov 12,
> 2013 - https://technet.microsoft.com/en-us/library/security/2880823.aspx
> The SHA-1 sunset ballot was passed on 16 October 2014, not 2015.
> Please see
Thanks; an unintentional typo but that still highlights it took a year for
the Forum to agree (even after a root program required it), and it took 2
years and some change before browsers disabled it, and it *still* broke
(and breaks) a number of sites.
> I think most CAs offer their cusomers to migrate SHA-1 SSL certificates to
> SHA 256 SSL certificates for free. Try their best to call out and e-mail to
> the customers to encourage them.
A number of CAs had trouble. I think
https://github.com/konklone/shaaaaaaaaaaaaa/issues/24 - a site Eric Mill
put together when Chrome made the UI changes - is a pretty telling example
of CAs not being as prepared as they otherwise suggested. More importantly,
it highlights that changes didn't happen until they were forced - and a
number of customers who actively wanted to be more secure were prevented by
the insecure practices and defaults of a number of CAs.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public