[cabfpub] New Google policy on SHA-1 deprecation next 6-112 weeks

Fri Aug 22 16:15:05 UTC 2014

For those CA/Browser Forum members who were not on the Forum conference call yesterday, I wanted to forward information that Google disclosed during the call that will affect all CAs.

Google has announced a policy to deprecate many SHA-1 certificates and some SHA-256 certificated currently in use in the next 6-12 weeks (upon the release of Chrome version 39):

https://groups.google.com/a/chromium.org/d/msg/security-dev/2-R4XziFc7A/NDI8cOwMGRQJ

Here is how we understand this.

Starting with Chrome 39, in about 12 weeks (mid-November), when Chrome encounters an SSL certificate that is SHA-1, or a SHA-256 certificate with a SHA-1 intermediate in the chain, the user will see a deprecated security UI.  Specifically:

*         If the SSL cert expires after 1/1/2016 but before 2017, then the user will see a padlock with a red line though it (and no green bar for EV certificates) and the page will be served up as normal with no user action.

*         If the SSL certificate expires after 1/1/2017, then the user will see the padlock with a red line through it, AND the page will be treated as mixed content and the user will need to perform an action to proceed.

*         Again, this will affect all SHA-1 certificates and all SHA-256 certificates issued from a SHA-1 intermediate certificate, no matter when such certificates were issued or deployed.

*         Per Google, SHA-1 roots can still be used, but all certificates in the chain must be SHA-256 to avoid the negative UI.

Google has told CAs that their affected customers have two choices over the next 6-12 weeks to avoid the negative UIs for their websites.

*         Customers can replace their SHA-1 certs that expire in 2016 or 2017 with new SHA-1 certs that expire no later than 12/31/2015 (same for new  SHA-256 certs issued from a SHA-1 intermediate), and they will get the regular UI trust symbols in Chrome, or

*         Customers can replace their SHA-1 certs (or SHA-256 certs issued from a SHA-1 intermediate) with SHA-256 certs issued from SHA-256 intermediates, which can expire in 2016 or 2017 and will receive the regular UI trust symbols in Chrome.

Kirk R. Hall
Operations Director, Trust Services
Trend Micro
+1.503.753.3088

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140822/e4fd3785/attachment-0002.html>