[cabfpub] Apple's SHA-1 Plan

Curt Spann cspann at apple.com
Tue Jan 24 23:37:32 UTC 2017

Greetings CAB Forum,

We have posted our SHA-1 deprecation plan here: https://support.apple.com/en-us/HT207459

Safari and WebKit ending support for SHA-1 certificates
Website operators should move to SHA-256 signed certificates as soon as possible.

In Spring 2017, a security update to Apple’s operating systems will remove support for SHA-1 signed certificates used for Transport Layer Security (TLS) in Safari and WebKit.
This security update will remove support for all certificates that are issued from a root Certification Authority (CA) included in the operating system default trust store. All other TLS connections will continue to support SHA-1 signed certificates until late 2017.  SHA-1 signed root CA certificates, enterprise-distributed SHA1 certificates, and user-installed SHA1 certificates are not affected by this change.

What will change?

With the upcoming security update, Safari displays a notification when a user navigates to a webpage that attempts to create a TLS connection using a SHA-1 signed certificate. The user will have to click to load the site. After loading, the site appears as an insecure connection in Safari.
Apps that use WebKit to connect to a site using TLS will receive an error if the site’s certificate is SHA-1 signed. Developers will need to ensure that their apps handle these errors.

What do I need to do?

Developers and website operators should move to SHA-256 signed certificates as soon as possible to prevent users from encountering warnings when connecting to their sites. There are many CA operators providing SHA256 signed certificates.

Apple Root Certificate Program

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170124/1a383202/attachment-0002.html>

More information about the Public mailing list