[cabfpub] Ballot 118 - SHA1 Sunset

Ryan Sleevi sleevi at google.com
Tue Oct 7 11:34:55 MST 2014 

On Oct 7, 2014 2:27 PM, "Kelvin Yiu" <kelviny at exchange.microsoft.com> wrote:
>
> I think you have 2 problems when trying to support XP users after
1/1/2016:
>
> 1. Not being able to get new SHA1 SSL certificates that works on XP
> 2. Not being able to get new code signing certificates to sign new builds
of Firefox, or sign Firefox in such a way that the same file will work on
XP and the latest Windows release.
>
> Assuming you can workaround the first problem by finding a 1024 bit root
CA that may or may not meet other security requirements, how will you deal
with the 2nd problem?
>
> Kelvin
>

Sign a "download loader" binary that does the fetching of a
non-Authenticode data blob?

(Terribly common, for better or worse)

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Gervase Markham
> Sent: Friday, October 3, 2014 3:24 AM
> To: Ryan Sleevi
> Cc: CABFPub
> Subject: Re: [cabfpub] Ballot 118 - SHA1 Sunset
>
> On 03/10/14 10:17, Ryan Sleevi wrote:
> > It is worth noting that, according to Microsoft's policies (which, I
> > should note, Chrome has also adopted), no SHA-1 certs can be issued by
> > members of the root programs.
>
> By CAs who are members of their root programs? Or by roots which are
trusted by their root programs?
>
> It might be possible to find a root, such as a 1024-bit one, which has
been removed from root programs but is still trusted by the older browsers
which such a scheme would target. Is there anything in Microsoft's or
Google's policies which would prevent us asking a CA with such a root to
issue us a SHA-1 certificate for the purpose of getting people onto
software which supports SHA-256?
>
> > However, I think you perhaps have too rosy a view about how such an
> > exemption would play out in practice. If browsers adopt negative UI
> > (as Chrome does, and as have both you and other Mozilla developers
> > suggested Firefox will/should) for such post-2016 certs, then the
> > ability to reasonably enforce such UI is contingent upon believing no
> > CAs will be issuing such certs.
>
> Not really. Given that you are putting the UI in now, a row-back later
would not have much immediate effect on the number of people who would get
negative UI. Which would make a change of mind, even if you wanted one,
impossible.
>
> > The situation you describe - which doesn't arise until Jan 2016 -
>
> Yes, indeed. But the de-adoption curves are not looking all that awesome.
>
> > appetite for that. I think it's reasonable that by 2016, if you're
> > still running a 15 year old OS, you'll have a bad time. And not just
> > because SHA-1, but because SNI, ECDSA, etc.
>
> Right. If we could get people to upgrade, we would.
>
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141007/fe59956e/attachment.html

More information about the Public mailing list