[cabfpub] SHA1 Deprecation Ballot

Ben Wilson ben at digicert.com
Wed Mar 12 16:14:07 UTC 2014


Forwarded from Bruce Morton/Entrtust:

 

First I am not a signing/hashing expert, but below is how I understand the problem. I would be happy to have any of the following corrected by an expert.

 

I think the policy should consider that there could be a collision or a preimage/second-preimage attack and that there are SHA2 compatibility issues.

 

Since a collision attack happens at the time the certificate is issued and a SHA1 collision attack could be feasible by the end of the decade, we need to stop signing with SHA1.

 

However, a preimage/second preimage attack happens after the certificate has been issued and is orders of magnitude more difficult to implement. I am not aware of an estimated time when we should be concerned with preimage/second preimage attacks on SHA1, as such there is not a big rush to limit the validity period of a SHA1 signed certificate.

 

I think the following should be considered:

-          Avoid collision by stopping to sign with SHA1 as of 1 January 2016 as Microsoft has advised in their policy.

-          Support transition to SHA2 by allowing SHA1 signed certificates to have the full validity period as stated in the BRs.

-          Consider lengthening the transition period by allowing a longer validity period for SHA1 signatures for customers that can make the justification.

 

I remember one of the CAB Forum members wrote an email that I think was called Hash Vulnerability 101. Some input from that member would help to finalize the policy.

 

Thanks, Bruce.

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Wednesday, March 12, 2014 11:15 AM
To: 'Doug Beattie'; kirk_hall at trendmicro.com; 'CABFPub'
Subject: Re: [cabfpub] SHA1 Deprecation Ballot

 

It would surprise me if we weren’t all in agreement on what we want, but the difficulty is putting formality to it in the words of a ballot.  

Doug and Kirk,

Should the three of us take this offline and work through it together and bring a proposal back to the Forum?

Thanks,

Ben

(Also, as we all know, we can’t pass a ballot and walk away with “mission accomplished.”  So, besides amendments to the Baseline Requirements, we need a sunset plan/strategy.  I say that now so that we’ll remember that after this ballot passes.)

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: Wednesday, March 12, 2014 6:51 AM
To: kirk_hall at trendmicro.com; 'CABFPub'
Subject: Re: [cabfpub] SHA1 Deprecation Ballot

 

Kirk and all,

 

Since January 2017 is almost 3 years away, let’s not get too tangled up in the details of the SHA-1 deprecation.  We need to set clear guidance, define requirements to limit the number of SHA-1 SSL certificates that will be valid well past January 2017, and be sure we all communicate the same (CABF) message to our user community.  The details can be refined in 2015 and 2016 as we understand the implications on the global server/browser community and the impact on e-commerce/security as we formally deprecate SHA-1.  We might need to perform a study on the impact of SHA-1 deprecation.  It’s possible that we need to perform a phased roll-out with US/EMEA formally deprecating SHA-1 on one date (even earlier than Jan 2017), but APAC and other regions perhaps at a later date.  Let’s promote SHA-2, drive adoption, understand operational limitations and then refine the plan.

 

 

So, at this time, I’m in favor of:

-          Specifying shorter max validity periods for SHA-1 SSL certificates (1-year starting Jan 2015?)

-          Setting end dates for the creation of any new Root and Subordinate CAs with SHA-1

-          Defining clear messaging to the user community regarding SHA-1

-          Setting target dates for the next set of changes for improved security/performance (RSA-4096/ECC/SHA-512/etc)

 

I’m against:

-          Specifying an exact date at which no SHA-1 certificates can be issued globally

-          Specifying the detailed legacy exceptions for using SHA-1 after the sunset date

 

Doug

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
Sent: Tuesday, March 11, 2014 8:54 PM
To: 'CABFPub'
Subject: Re: [cabfpub] SHA1 Deprecation Ballot

 

I’m still thinking this through, but my current opinion is that the BRs should set a sunset date (prohibition) for issuance of end-entity certs with SHA1 (like we did for ISN and IP address certs under BR 9.2.1 and for certs with a validity period of more than 39 months under BR 9.4.1) just as a matter of good practice, and recognition that SHA1 will be compromised.

 

However, I also think we should put in a legacy exception allowing SHA1 certs after the sunset date (just as we allow 60 month certs under BR 9.4.1 for legacy cases), with a required warning to the customer who insists about the dangers to the customer and the likelihood that the cert won’t work in Microsoft and other browsers.  That will force customers to make a case for the SHA1 cert (which the CA must document), and give them fair warning.

 

Here are the current legacy exceptions allowing 60 month certs under BR 9.4.1.  Should we adopt the same or similar exceptions for SHA1 certs after the sunset date?

 

Beyond 1 April 2015, CAs MAY continue to issue Subscriber Certificates with a Validity Period greater than 39 months but not greater than 60 months provided that the CA documents that the Certificate is for a system or software that:

(a) was in use prior to the Effective Date;

(b) is currently in use by either the Applicant or a substantial number of Relying Parties;

(c) fails to operate if the Validity Period is shorter than 60 months;

(d) does not contain known security risks to Relying Parties; and

(e) is difficult to patch or replace without substantial economic outlay.

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Tuesday, March 11, 2014 2:54 PM
To: 'Doug Beattie'; 'CABFPub'; 'Ryan Sleevi'
Subject: Re: [cabfpub] SHA1 Deprecation Ballot

 

What about this?

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: Tuesday, March 11, 2014 8:31 AM
To: ben at digicert.com; 'CABFPub'; 'Ryan Sleevi'
Subject: Re: [cabfpub] SHA1 Deprecation Ballot

 

Hi Ben,

 

I’m not sure this entirely captures the requirements for the deprecation of SHA-1.  Here are my thoughts and suggestions:

 

While I agree with the requirement that Root and Subordinate CA Certificates generated after 31 December 2015 should not be SHA-1, I don’t think this accurately defines the 1 January 2017 “event”.  While all certs issued after 31 December 2015 should not be SHA-1, it implies that SHA-1 certificates issued before this date will be valid until they expire.  Microsoft has stated that on 1 January 2017 if any certificates in the chain up to, but not including, the root (including cross certificates) are SHA-1, the certificate validation will fail.  Isn’t this the point we want to make?  I’m not sure we need to state in the BR when SHA-1 certificates should no longer be issued, or when they must expire, just when they won’t be validated.  If some CAs want to dig a big hole by issuing lots of SHA-1 certificates that expire after 1 January 2017, that is their challenge to resolve.

 

I attempted to document this in the attached for your consideration.   The first page of the attachment summarizes the suggested changes while the next 2 are redlined changes for Appendix A, much like your attachment.

 

Doug

 

From: Ben Wilson [mailto:ben at digicert.com] 
Sent: Sunday, March 09, 2014 3:20 AM
To: 'CABFPub'; 'Ryan Sleevi'; Doug Beattie
Subject: RE: [cabfpub] SHA1 Deprecation Ballot

 

All,

 

Here is a draft of Ballot 118 – SHA1 Sunset.  

 

I’ve proposed language to replace the current footnote concerning SHA1 in Appendix A, feel free to edit:

*   "Effective immediately CAs SHOULD begin migrating away from using the SHA-1 hashing algorithm to sign Subscriber Certificates.  CAs SHOULD advise Applicants that Microsoft has indicated that Windows will stop accepting SHA1 certificates on 1 January 2017 or sooner if the algorithm becomes vulnerable to cryptographic attack."  Alternatively, it could  be re-phrased to say, “CAs may want to advise Applicants that …”, but this draft has “SHOULD”.

 

Also, if your look at table (1) Root CA Certificates, it still allows legacy SHA1 Roots created before January 1, 2016, to serve as trust anchors.  The language is Root Certificates “with a validity period beginning after 31 Dec. 2015”, which means that starting Jan. 1, 2016, CAs shouldn’t be submitting new roots signed using SHA1, but I doubt that few CAs are still submitting SHA1 signed roots, so I don’t think that is an issue that we need to call out specially in the table below.  

 

Ben Wilson of DigiCert made the following motion, and ____ from _______ and _________ from __________ endorsed it: 

 

Motion Begins

 

In order to bring CA practices in line with SHA1 deprecation plans for the industry, Appendix A of the Baseline Requirements is amended effective immediately as follows:

 

In each of the three tables in Appendix A, delete the middle column (because it is applicable mostly for certificates valid through 2013, which have expired anyway by now) and insert a new column on the right side of each of the tables with a column heading that reads, 

 

"Validity period beginning after 31 Dec 2015".  

 

Add the following for the first and last column of each row in the following tables:

 

(1)          Root CA Certificates

Digest algorithm - SHA-256, SHA-384 or SHA-512

Minimum RSA modulus size (bits) - 2048

ECC curve - NIST P-256, P-384, or P-521

Minimum DSA modulus and divisor size (bits) -  L= 2048, N= 224 or L= 2048, N= 256, L= 2048, N= 224 or L= 2048, N= 256  

 

(2)          Subordinate CA Certificates

Digest algorithm - SHA-256, SHA-384 or SHA-512

Minimum RSA modulus size (bits) - 2048

ECC curve - NIST P-256, P-384, or P-521

Minimum DSA modulus and divisor size (bits) -  L= 2048, N= 224 or L= 2048, N= 256, L= 2048, N= 224 or L= 2048, N= 256  

 

(3)          Subscriber Certificates

Digest algorithm - SHA-256, SHA-384 or SHA-512

Minimum RSA modulus size (bits) - 2048

ECC curve - NIST P-256, P-384, or P-521

Minimum DSA modulus and divisor size (bits) -  L= 2048, N= 224 or L= 2048, N= 256, L= 2048, N= 224 or L= 2048, N= 256  

 

Replace the footnote "*" in Appendix A with the following:  "Effective immediately CAs SHOULD begin migrating away from using the SHA-1 hashing algorithm to sign Subscriber Certificates.  CAs SHOULD advise Applicants that Microsoft has indicated that Windows will stop accepting SHA1 certificates on 1 January 2017 or sooner if the algorithm becomes vulnerable to cryptographic attack."

 

Motion Ends

 

The review period for this ballot shall commence at 2200 UTC on Monday, 10 March 2014, and will close at 2200 UTC on Monday, 17 March 2014. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2200 UTC on Monday, 24 March 2014. Votes must be cast by posting an on-list reply to this thread. 

 

A vote in favor of the motion must indicate a clear 'yes' in the response. A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here:  https://cabforum.org/members/

 

In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. Also, at least six members must participate in the ballot, either by voting in favor, voting against, or abstaining

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Monday, March 03, 2014 11:05 AM
To: 'Ryan Sleevi'
Cc: 'CABFPub'
Subject: Re: [cabfpub] SHA1 Deprecation Ballot

 

Ryan,

I agree with your view.  I’m just trying to get the “what-ifs” out in the open for discussion.  

Several times in the past the Forum has been criticized for not doing enough to consider the whole ecosystem.  

I’m just giving everyone heads-up on a potential future issue.

Ben

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
Sent: Friday, February 28, 2014 1:57 PM
To: Ben Wilson
Cc: CABFPub
Subject: Re: [cabfpub] SHA1 Deprecation Ballot

 

Ben,

 

Why do you believe that Microsoft's review is the only way to discover "Application X" and its existence? Why wouldn't we, within the CA/B Forum, except either member CAs (or CAs affected by but not members) to mention "Application X" exists?

 

Likewise, it seems reasonable to presume that "Application X" is not a common scenario to begin with - otherwise, we expect CAs would already be talking about "Application X" and its impact to their issuance practices.

 

As such, it seems like the scope of "Application X" is going to be so minimal, that it would be entirely reasonable/preferable/better for the Internet to let "We still issue SHA-1 for Application X" to be a qualified finding during an Audit (presuming, of course, that such timelines are incorporated within the audit framework in a timely manner), and then allow Root Programs to make a decision about "Application X"?

 

I see no reason to hold up the entire progress based on a hypothetical "Application X". And if such a blanket exception to security needs to be carved out, Root Programs are perfectly capable of doing so - as they have already done for other such "Application X" exceptional scenarios (eg: RSA-1024 bit certs for certain applications - such as Symantec's issuance of a pb.com certificate that conflicts with the BRs in https://bugzilla.mozilla.org/show_bug.cgi?id=966350 )

 

On Thu, Feb 27, 2014 at 4:59 PM, Ben Wilson <ben at digicert.com> wrote:

Let’s say we adopt this as a guideline.  Then, what if we want to fine-tune it based on Microsoft’s July 2015 review of progress made?  How can we amend the guideline and put that amendment in place before January 1, 2016?  (Let’s say that based on Microsoft’s review, it appears that Application X and its users need more time.  Won’t a CA that is providing SSL services for Application X say that six months is not enough time for the CAB Forum to adopt an exception and for it to change its code and certificate issuance processes to allow an exception for Application X and its users)?  In other words, don’t we need feedback from Microsoft prior to July 2015 in order to put an amendment in place?   If we adopt this provision, won’t we need to revisit it in about 12 months? 

 

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: Thursday, February 20, 2014 11:55 AM
To: ben at digicert.com; public at cabforum.org


Subject: Re: [cabfpub] SHA1 Deprecation Ballot

 

Ben,

 

While this may be obvious to most of us, we should explicitly state that all CA certificates in the hierarchy up to, but not including the publicly trusted root, must also not be SHA-1.

 

Doug

 

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Wednesday, February 19, 2014 3:02 PM
To: public at cabforum.org
Subject: [cabfpub] SHA1 Deprecation Ballot

 

I’m not sure whether I’ve captured it all, but here is a rough draft of a possible ballot for the Baseline Requirements. 

 

Effective immediately CAs SHOULD begin migrating away from using the SHA-1 hashing algorithm to sign SSL/TLS and code signing certificates.   

 

Beginning January 1, 2016, CAs SHALL NOT use the SHA-1 hashing algorithm to sign SSL/TLS or code signing certificates.

 

Please provide your comments, edits, etc., 

 

Thanks,

 

Ben


_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

 



 
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140312/914b483f/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5453 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140312/914b483f/attachment-0001.p7s>


More information about the Public mailing list