[cabfpub] What is actually meant by "SHA-1-using certificates"?

Ryan Sleevi sleevi at google.com
Tue Aug 26 14:29:23 UTC 2014


As repeatedly mentioned, the CA/Browser Forum is not the best place for
discussing individual browser policy, the same as it has always been (e.g.
with changes to Mozilla's Root Program).

I am not sure how to answer this question, as your message already shows
I've answered it with the same answer, phrased differently, several times.
All of the replies are consistent and saying the same thing - if the
notAfter of the leaf is greater than the sunset date, intermediates are
considered. If notAfter of the leaf less than it, they are not. The
validity period of the intermediates doesn't matter or affect anything.
On Aug 26, 2014 5:27 AM, "N. Atilla Biler" <atilla.biler at turktrust.com.tr>
wrote:

> Dear Ryan,
>
>
>
> Maybe an important point for Google to clarify at this moment is what is
> actually meant by "*SHA-1-using certificates*" in the following text
> under the link
>
>
>
>
> https://groups.google.com/a/chromium.org/forum/#!msg/security-dev/2-R4XziFc7A/NDI8cOwMGRQJ
>
>
>
> *“The following changes to Chromium's handling of SHA-1 are proposed:*
>
> *- All SHA-1-using certificates that are valid AFTER 2017/1/1 are treated
> insecure, but without an interstitial. That is, they will receive a
> degraded UI indicator, but users will NOT be directed to click through an
> error page.*
>
> *- Additionally, the mixed content blocker will be taught to treat these
> as mixed content, which WILL require a user action to interact with.*
>
> *- All SHA-1-using certificates that are valid AFTER 2016/1/1 are treated
> as insecure, but without an interstitial. They will receive a degraded UI
> indicator, but will NOT be treated as mixed content.”*
>
>
>
> Meaning that “*the certificates signed by SHA-1*” is another thing,
> meaning that “*the certificates signed by SHA-1 plus the certificates
> signed by SHA-2 but having SHA-1 roots or intermediate CAs in the chain*”
> is another thing. And the second meaning even boosts the burden on the CAs.
>
>
>
> A comment in one of Kirk’s mails (found below) says that “*Starting with
> Chrome 39, in about 12 weeks (mid-November), when Chrome encounters an SSL
> certificate that is SHA-1, or a SHA-256 certificate with a SHA-1
> intermediate in the chain, the user will see a deprecated security UI.*”
>
>
>
> However, in one of your comments under the chromium entry in the above
> link, you mention that “*Only the leaf certificates notAfter is
> considered (and independent of leaf signature algorithm), but if it matches
> the criteria, then all the validated signatures in the chain (i.e.
> excluding the root) are considered. No new intermediates are required,
> unless you are issuing long-lived SHA-256 certs that chain to a SHA-1
> intermediate*.”
>
>
>
> Could you please clarify this point for all the CAs in the Forum to
> prevent any misunderstandings at this point…
>
>
>
> Best regards,
>
>
>
>
>
> *N. Atilla BILER*
>
> *Business Development Manager*
>
> *TURKTRUST Inc.*
>
>
>
> Address: Hollanda Cad. 696.Sok. No:7 Yildiz 06550 Cankaya / ANKARA - TURKEY
>
> Phone   : +90 (312) 439 10 00
>
> Mobile  : +90 (530) 314 24 05
>
> Fax         : +90 (312) 439 10 01
>
> E-mail    : atilla.biler at turktrust.com.tr
>
> Web      : www.turktrust.com.tr
>
>
>
>
>
>
>
> *From:* public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] *On
> Behalf Of *Ryan Sleevi
> *Sent:* 25 Ağustos 2014 Pazartesi 17:51
> *To:* Dean Coclin
> *Cc:* CABFPub
> *Subject:* Re: [cabfpub] Agenda for Beijing F2F 16-18 September 2014
>
>
>
> Small correction:
> sudden -> recent
> very little notice -> six months notice
>
> I'm not sure that there is much to discuss, however, at least not within
> the Forum. Chromium has announced plans for UI changes that had previously
> been discussed at length in the Forum during our F2F in February. There is
> already a venue for discussing these changes, one which permits and
> encourages full public participation, and we welcome further contributions.
>
> I suspect that such a conversation in the Forum, with or without Google's
> participation, would thus be nonproductive, unless the proposal is that we
> reexamine codifying these dates in the BRs, a move we would certainly
> welcome.
>
> On Aug 25, 2014 7:13 AM, "Dean Coclin" <Dean_Coclin at symantec.com> wrote:
>
> I think another timely topic is Google’s sudden SHA-1 announcement.
> Although it appears no one from Google will be attending, perhaps we can
> schedule it at a time when they can dial in. It seems that this will have a
> huge customer impact with very little notice.
>
>
> Dean
>
>
>
> *From:* public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] *On
> Behalf Of *Ben Wilson
> *Sent:* Sunday, August 24, 2014 1:23 PM
> *To:* CABFPub (public at cabforum.org) (public at cabforum.org)
> *Subject:* [cabfpub] Agenda for Beijing F2F 16-18 September 2014
>
>
>
> All,
>
> Here is the agenda for our upcoming Face-to-Face Meeting in Beijing on 16
> - 18 September 2014.
>
> Please provide your feedback and comments.
>
> Also, if you have a topic you’d like to discuss, the following open slots
> are available:
>
> Slot 9 (30 min Wed p.m.)
>
> Slot 12 (60 min Thurs a.m.)
>
> Slot 14 (45 min Thurs p.m.)
>
> Slot 15 (45 min Thurs p.m.)
>
> Slot 16 (45 min Thurs p.m.)
>
> Thanks,
>
> Ben
>
>
>
>
>
> *Time*
>
> *Start*
>
> *Stop*
>
> *Slot*
>
> *Description*
>
> *Notes*
>
>
>
>
>
>
>
>
>
> *WORKING GROUP MEETINGS – *
>
> *(Tue) 16 Sept 2014*
>
>
>
> 0:10
>
> 9:30
>
> 9:40
>
>
>
> *Welcome, Prelim Matters, Antitrust Statement, Logistics, Assign
> Note-Takers, etc.*
>
>
>
> 1:10
>
> 9:40
>
> 10:50
>
> 1
>
> *Extended Validation Working Group Discussions*
>
> Open Items List to be Distributed
>
> 0:10
>
> 10:50
>
> 11:00
>
>
>
> *10-min Break*
>
>
>
> 1:10
>
> 11:00
>
> 12:10
>
> 2
>
> *Code Signing Working Group Discussions*
>
> Review Comments received to
>
> Public Comment Draft of Baselines for Code Signing
>
> 1:00
>
> 12:10
>
> 13:10
>
>
>
> *Lunch*
>
>
>
> 1:20
>
> 13:10
>
> 14:30
>
> 3
>
> *Certificate Policy Revisions Working Group Discussions*
>
> Review Computer and Network Security - Sections 6.5 to 6.7 of RFC 3647 and
> NISTIR
>
> 0:15
>
> 14:30
>
> 14:45
>
>
>
> *15-min Break*
>
>
>
> 1:15
>
> 14:45
>
> 16:00
>
> same
>
> *Continue CP Revisions Working Group Discussions*
>
>
>
>
>
> 16:00
>
>
>
>
>
> *Adjourn for the Day*
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *(Wed) 17 Sept 2014*
>
>
>
> 0:05
>
> 9:00
>
> 9:05
>
>
>
> *Recap of Prelim Matters and Logistics*
>
>
>
> 0:10
>
> 9:05
>
> 9:15
>
>
>
> *Antitrust Statement and Assign Note-Takers*
>
>
>
> 0:30
>
> 9:15
>
> 9:45
>
> 1
>
> *Recap of Working Group Discussions (EV, Code Signing, and CP Security
> Review)*
>
>
>
> 0:45
>
> 9:45
>
> 10:30
>
> 2
>
> *Browser News*
>
> Apple, Google, Opera, Microsoft, Mozilla
>
> 0:05
>
> 10:30
>
> 10:35
>
>
>
> *Bio-Break*
>
>
>
> 0:40
>
> 10:35
>
> 11:15
>
> 3
>
> *Report from ETSI*
>
> Iñigo Barreira / Arno Fiedler
>
> 0:40
>
> 11:15
>
> 11:55
>
> 4
>
> *Report from WebTrust*
>
> Don Sheehy
>
> 1:05
>
> 11:55
>
> 13:00
>
>
>
> *Lunch*
>
>
>
> 0:45
>
> 13:00
>
> 13:45
>
> 5
>
> *Discussion of SM2 Algorithm*
>
> *http://tools.ietf.org/html/draft-shen-sm2-ecdsa-01
> <http://tools.ietf.org/html/draft-shen-sm2-ecdsa-01>*
>
> 0:45
>
> 13:45
>
> 14:30
>
> 6
>
> *Discussion of Critical Extension to Technically Constrain SSL for
> Non-Browsers*
>
> Continuation of Discussion on Methods to Reduce Scope of Some of the
> Baseline Requirement Provisions (For Legacy  Apps, IPSec, Non-Browser SSL)
>
> 0:15
>
> 14:30
>
> 14:45
>
>
>
> *15-min Break*
>
>
>
> 0:45
>
> 14:45
>
> 15:30
>
> 7
>
> *Overview of Information Sharing - Why and How do We Share Information?*
>
> Ben
>
> 1:00
>
> 15:30
>
> 16:30
>
> 8
>
> *Functional Elements of a Solution, e.g. CABF Centre Database for Malware
> Signing Blacklist*
>
> Richard
>
> 0:30
>
> 16:30
>
> 17:00
>
> 9
>
> *Open Slot and Daily Wrap-Up*
>
>
>
>
>
> 17:00
>
>
>
>
>
> *Adjourn for the Day*
>
>
>
>
>
>
>
>
>
>
>
> *Social Event at Local Chinese Restaurant*
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *(Thur) 18 June 2014*
>
>
>
> 0:10
>
> 9:00
>
> 9:10
>
>
>
> *Preliminary Logistics and Assign Note Takers*
>
>
>
> 0:30
>
> 9:10
>
> 9:40
>
> 10
>
> *Revisit Yesterday's Discussion on Information Sharing*
>
>
>
> 1:00
>
> 9:40
>
> 10:40
>
> 11
>
> *Discuss Scope of CA/Browser Forum Work, Purpose, Bylaws, Project
> Lifecycle Revisions, Working Group Charters, Changes*
>
> Moudrick Dadashov
>
> 0:15
>
> 10:40
>
> 10:55
>
>
>
> *15-min Break*
>
>
>
> 1:00
>
> 10:55
>
> 11:55
>
> 12
>
> *Open Slot*
>
>
>
> 1:05
>
> 11:55
>
> 13:00
>
>
>
> *Lunch*
>
>
>
> 0:45
>
> 13:00
>
> 13:45
>
> 13
>
> *Future Improvements to the Implementation of SSL/TLS *
>
> Placeholder to discuss communication / coordination among CAs and Browsers
> on Plans for Future Evolution of SSL/TLS
>
> 0:45
>
> 13:45
>
> 14:30
>
> 14
>
> *Open Slot*
>
>
>
> 0:15
>
> 14:30
>
> 14:45
>
>
>
> *15-min Break*
>
>
>
> 0:45
>
> 14:45
>
> 15:30
>
> 15
>
> *Open Slot*
>
>
>
> 0:45
>
> 15:30
>
> 16:15
>
> 16
>
> *Open Slot*
>
>
>
> 0:45
>
> 16:15
>
> 17:00
>
> 17
>
> *Meeting Wrap-Up*
>
>
>
>
>
> ...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140826/d0615d08/attachment-0003.html>


More information about the Public mailing list