[Servercert-wg] Discussion Period Begins on Ballot SC53: Sunset for SHA-1 OCSP Signing

Corey Bonnell Corey.Bonnell at digicert.com
Mon Jan 10 15:00:06 UTC 2022


Purpose of Ballot


Weaknesses regarding the use of the SHA-1 hash algorithm for signatures have
been known for several years. While there is currently a prohibition on the
use of CA Private Keys to directly sign OCSP responses using SHA-1, Private
Keys corresponding to OCSP delegated responders may still be used to sign
OCSP responses using SHA-1. This ballot establishes a sunset date to
prohibit delegated OCSP signing with the SHA-1 hash algorithm.

 

The following motion has been proposed by Corey Bonnell of DigiCert and
endorsed by Ben Wilson of Mozilla and Bruce Morton of Entrust.


Motion Begins


This ballot modifies the "Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates" ("Baseline Requirements"),
based on Version 1.8.0:
MODIFY the Baseline Requirements as specified in the following Redline:

 
<https://github.com/cabforum/servercert/compare/cda0f92ee70121fd5d692685b97e
bb6669c74fb7...637c6959c35bbd93cc451f7b22dfb48ac4255b9f>
https://github.com/cabforum/servercert/compare/cda0f92ee70121fd5d692685b97eb
b6669c74fb7...637c6959c35bbd93cc451f7b22dfb48ac4255b9f


Motion Ends


This ballot proposes a Final Maintenance Guideline. The procedure for
approval of this ballot is as follows:

 


Discussion (7+ days)


Start time: 2022-01-10 15:00:00 UTC

End time: Not before 2022-01-17 15:00:00 UTC

 


Vote for approval (7 days)


Start time: TBD

End time: TBD

 

Thanks,

Corey

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20220110/88ed899c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4990 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20220110/88ed899c/attachment.p7s>


More information about the Servercert-wg mailing list