[cabfpub] Request for six month delay on new Google SHA-1 deprecation policy

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Thu Aug 28 23:56:16 UTC 2014 

[Reposting from Google SHA-1 list]

-----Original Message-----
From: Kirk Hall (RD-US) 
Sent: Thursday, August 28, 2014 4:55 PM
To: 'Chris Palmer'
Cc: rsleevi at chromium.org; security-dev; blink-dev; steve.medin at gmail.com; net-dev
Subject: RE: Intent to Deprecate: SHA-1 certificates

Also, Chris -- who doesn't Google just deprecate SHA-1 certificates that expire on or after January 1, 2017 (now, or in six months) -- I can guarantee once that happens those certs will disappear, which is your stated goal -- and no new certs expiring in 2017 or later will ever be issued.

Why do you have to attack SHA-1 certs now that expire in 2016?  If you just focus on certs expiring in 2017 or later, you will save thousands of website owners from needless switching of their current SHA-1 certs (when then will never be receiving SHA-1 replacement certs that expire in 2017).

This makes no sense -- can you explain why Google's SHA-1 early deprecation isn't limited to SHA-1 certs that expire in 2017 or later???  That would catch everything, and prevent issuance of new 2017 certs.

-----Original Message-----
From: Chris Palmer [mailto:palmer at google.com] 
Sent: Thursday, August 28, 2014 4:39 PM
To: Kirk Hall (RD-US)
Cc: rsleevi at chromium.org; security-dev; blink-dev; steve.medin at gmail.com; net-dev
Subject: Re: Intent to Deprecate: SHA-1 certificates

On Thu, Aug 28, 2014 at 4:29 PM, kirk_hall at trendmicro.com <kirk_hall at trendmicro.com> wrote:

> As I mentioned before, our company already restricted our offerings so no customer can get a SHA-1 certificate expiring after 2016, so we are already in compliance.

Great! Thank you.

> Why are you effectively pushing back the SHA-1 deprecation deadline by two years on such short notice?

SHA-1 is now, and has been for some time, deprecated. The deadline is for when SHA-1 will be not just deprecated but *outright disabled*.

So, we are surfacing the deprecation *now*, so that all CAs will do as Trend Micro has done, and won't suddenly be caught off-guard when
SHA-1 is indeed turned off as scheduled.

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>

More information about the Public mailing list