[cabfpub] New Google policy on SHA-1 deprecation next 6-112 weeks

[Tim Shirley]

Can we clarify if the date checks apply only to the end-entity certificates?  Or do they also apply to the intermediates?  If the latter, that would require new SHA-1 intermediates to be issued with 2015-12-31 expiration dates in order to offer option #1 to customers.


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
Sent: Friday, August 22, 2014 12:15 PM
To: CABFPub (public at cabforum.org)
Subject: [cabfpub] New Google policy on SHA-1 deprecation next 6-112 weeks

For those CA/Browser Forum members who were not on the Forum conference call yesterday, I wanted to forward information that Google disclosed during the call that will affect all CAs.

Google has announced a policy to deprecate many SHA-1 certificates and some SHA-256 certificated currently in use in the next 6-12 weeks (upon the release of Chrome version 39):

https://groups.google.com/a/chromium.org/d/msg/security-dev/2-R4XziFc7A/NDI8cOwMGRQJ

Here is how we understand this.

Starting with Chrome 39, in about 12 weeks (mid-November), when Chrome encounters an SSL certificate that is SHA-1, or a SHA-256 certificate with a SHA-1 intermediate in the chain, the user will see a deprecated security UI.  Specifically:


·         If the SSL cert expires after 1/1/2016 but before 2017, then the user will see a padlock with a red line though it (and no green bar for EV certificates) and the page will be served up as normal with no user action.

·         If the SSL certificate expires after 1/1/2017, then the user will see the padlock with a red line through it, AND the page will be treated as mixed content and the user will need to perform an action to proceed.

·         Again, this will affect all SHA-1 certificates and all SHA-256 certificates issued from a SHA-1 intermediate certificate, no matter when such certificates were issued or deployed.

·         Per Google, SHA-1 roots can still be used, but all certificates in the chain must be SHA-256 to avoid the negative UI.

Google has told CAs that their affected customers have two choices over the next 6-12 weeks to avoid the negative UIs for their websites.


·         Customers can replace their SHA-1 certs that expire in 2016 or 2017 with new SHA-1 certs that expire no later than 12/31/2015 (same for new  SHA-256 certs issued from a SHA-1 intermediate), and they will get the regular UI trust symbols in Chrome, or

·         Customers can replace their SHA-1 certs (or SHA-256 certs issued from a SHA-1 intermediate) with SHA-256 certs issued from SHA-256 intermediates, which can expire in 2016 or 2017 and will receive the regular UI trust symbols in Chrome.

Kirk R. Hall
Operations Director, Trust Services
Trend Micro
+1.503.753.3088




TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.




________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140822/67cbc7f3/attachment-0003.html>