[cabfpub] Request for six month delay on new Google SHA-1 deprecation policy

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Thu Aug 28 23:31:01 UTC 2014 

[Reposting from Google SHA-1 list]

From: Kirk Hall (RD-US)
Sent: Thursday, August 28, 2014 4:29 PM
To: 'rsleevi at chromium.org'
Cc: security-dev; blink-dev; steve.medin at gmail.com; net-dev
Subject: RE: Intent to Deprecate: SHA-1 certificates

Thanks.  But nothing in those snippets indicates that in August 2014 SHA-1 certificate users will be told by Google that they must switch out all their certs in 6-12 weeks or else their websites will receive untrusted UIs in Chrome - does it?

As I mentioned before, our company already restricted our offerings so no customer can get a SHA-1 certificate expiring after 2016, so we are already in compliance.  Why are you effectively pushing back the SHA-1 deprecation deadline by two years on such short notice?

I think this is very unfortunate - Google seems angry at (some) CAs for past tardiness in transitions to stronger technologies (MD5, 1024 bit certs), but not all CAs are guilty and in any case this is a very punitive policy.

In fact, you are actually punishing website owners with perfectly valid SHA-1 certs who will be in full compliance with the SHA-1 deprecation policy by 2017 - they have done nothing wrong, but because of Google's new August 2014 policy, they have to speed up compliance to this year, at a very inconvenient time for many.

Finally, in my opinion, you are effectively punishing Chrome users as well  (or confusing them, at the very least) by showing them "untrusted" Chrome UIs this fall for certs that are, in fact, perfectly valid under a 2017 SHA-1 deprecation policy - all in the name of social engineering (pushing website owners and CAs to move faster).  Is this really what you want to do to Chrome users with Chrome's UI?  It's like "crying wolf" - telling your own customers there is a problem with a website when there actually isn't (you are just trying to make the website move faster).

Please listen to the people posting on this site and other sites, Ryan, and reconsider your timelines.  Do the right thing, and reset the deadline for March 1, 2015 or later.  That will accomplish all your stated purposes, and avoid hurting a lot of people (and Chrome users) unnecessarily.

From: sleevi at google.com [mailto:sleevi at google.com] On Behalf Of Ryan Sleevi
Sent: Thursday, August 28, 2014 4:19 PM
To: Kirk Hall (RD-US)
Cc: security-dev; Ryan Sleevi; blink-dev; steve.medin at gmail.com; net-dev
Subject: Re: Intent to Deprecate: SHA-1 certificates

In a discussion of SHA-1 deprecation:
https://cabforum.org/pipermail/public/2014-March/003024.html

"Chrome's plan continues to remain aggressive - disallowing certain algorithms/key sizes if their issuance date is after their sunset-grace period, outright rejecting them if their validity period exceeds the sunset-fail period, and eventually outright removing support entirely. As such, a CA that (continues) to issue such certs would not (ultimately) be causing outright risk to *current* versions of Chrome  users"

https://cabforum.org/2014/02/19/2014-02-19-minutes-of-mountain-view-f2f/#SHA1-Sunsetting-Grandfathering-Strategy

"Ryan: <snip> It goes back to attempting what we believe is a balanced approach for the user experience by telling the user that we don't have full confidence in this site but allowing the user to proceed, but this may become more serious over time. So we'll transition the user by not giving an EV indication.  We're also not going to require users to click through warnings."

"Ryan:  This pushes support to the browsers because when a site operator does not switch over to SHA2 people will say the browser doesn't work.  So, regardless of the sunset date, we'll have to start taking away your security benefits soon, but it would be better to find a solution based on policy.  If we cannot come to agreement on policy, like Brian said, then we are going to have different approaches, but we cannot have a situation where we're going to allow CAs to run SHA1 certificates up the wire and pass the cost on to the browsers.  The reality is that when a site breaks, it is not the site operator that suffers, it's the users, and users don't contact the site operator, they contact the browser or they go on social media and complain."

"Ryan:  It is all fine that we as a CA/Browser Forum can agree on something, but we need to get the attention of site operators and users on this.  If January 2016 is the date that CAs cease issuing SHA1 certificates, but site operators are installing 3-year certificates until then, we're going to see problems when they have forgotten about it.  If we cannot resolve this in the CA/Browser Forum, it will be something the browsers will start working on to get that messaging out."

"Bob:  Ryan has said that in Chrome they will implement a countdown meter that tells end users that in X days the website will stop working because the server has not migrated from SHA1."

On Thu, Aug 28, 2014 at 4:14 PM, Kirk Hall <kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>> wrote:
Ryan -- seriously -- if you can point us to where, in the strings you referenced, that Google's new policy was first disclosed to CAs, and if it was about six months ago, you will receive a full and abject public apology from me, and no further complaints about the new policy.

So please resolve this once and for all -- where and when exactly do you believe that Google first disclosed this new policy?

To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe at chromium.org<mailto:security-dev+unsubscribe at chromium.org>.

From: security-dev at chromium.org [mailto:security-dev at chromium.org] On Behalf Of Kirk Hall
Sent: Thursday, August 28, 2014 4:15 PM
To: security-dev at chromium.org
Cc: Kirk Hall (RD-US); rsleevi at chromium.org; blink-dev at chromium.org; steve.medin at gmail.com; net-dev at chromium.org; rsleevi at chromium.org
Subject: Re: Intent to Deprecate: SHA-1 certificates

Ryan -- seriously -- if you can point us to where, in the strings you referenced, that Google's new policy was first disclosed to CAs, and if it was about six months ago, you will receive a full and abject public apology from me, and no further complaints about the new policy.

So please resolve this once and for all -- where and when exactly do you believe that Google first disclosed this new policy?

On Thursday, August 28, 2014 3:40:13 PM UTC-7, Ryan Sleevi wrote:
Hi Kirk,

I can't help but feel you're intentionally being misleading. I would encourage you to read it again and confer with your colleagues.

It was clear enough, and long enough, a discussion that  Bob (on behalf of Mozilla) was able to state it simply and succinctly in the text I conveniently highlighted for you in that thread. I'm not sure how there can be any ambiguity on that, and it's the exact same policy now being proposed here.

All the best,
Ryan

On Thu, Aug 28, 2014 at 3:36 PM, Kirk Hall <kirk... at trendmicro.com<javascript:>> wrote:
Sorry, Ryan -- I don't see Google's new policy in any of those threads.  Can you point it out?

On Thursday, August 28, 2014 3:30:23 PM UTC-7, Ryan Sleevi wrote:


On Thu, Aug 28, 2014 at 3:18 PM, kirk... at trendmicro.com<mailto:kirk... at trendmicro.com> <kirk... at trendmicro.com<mailto:kirk... at trendmicro.com>> wrote:
Ryan - you keep saying Google told all CAs about this policy six months ago.  What are you referring to?  The CA/Browser Forum meeting in February?  You made no mention of this policy at that time.  See again the meeting minutes below from February 19, 2014.


Hi Kirk,

I fear you may have missed the messages on this thread where I've identified that for you particularly, and for others.

For your reference, I direct you to https://groups.google.com/a/chromium.org/d/msg/security-dev/2-R4XziFc7A/OAvNrBvhD5QJ

I note that I have already provided this link to you before, as shown on https://cabforum.org/pipermail/public/2014-August/003742.html

Hopefully you can take the opportunity to read it.



<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140828/8b35ff26/attachment-0003.html>

More information about the Public mailing list