[cabfpub] Ballot 118 - SHA1 Sunset

Moudrick M. Dadashov md at ssc.lt
Fri Oct 10 12:52:19 MST 2014


SSC votes: "Yes".

Thanks,
M.D.

On 10/2/2014 10:55 PM, Ben Wilson wrote:
>
> *Ballot 118 - SHA1 Sunset*
>
> Kelvin Yiu of Microsoft made the following motion, and Kirk Hall from 
> Trend Micro and Ryan Sleevi from Google have endorsed it.
>
> *Reason for Ballot*
>
> Over the last year or two, several application software providers have 
> announced deprecation of the SHA-1 algorithm in their software.
>
> -- Motion Begins --
>
> A. In the Baseline Requirements, insert the following new section 9.4.2:
>
> *_9.4.2 SHA-1 Validity Period _*
>
> _Effective 1 January 2016, CAs MUST NOT issue any new Subscriber 
> certificates or Subordinate CA certificates using the SHA-1 hash 
> algorithm. CAs MAY continue to sign certificates to verify OCSP 
> responses using SHA1 until 1 January 2017. This Section 9.4.2 does not 
> apply to Root CA or CA cross certificates. CAs MAY continue to use 
> their existing SHA-1 Root Certificates. SHA-2 Subscriber certificates 
> SHOULD NOT chain up to a SHA-1 Subordinate CA Certificate. _
>
> _Effective 16 January 2015, CAs SHOULD NOT issue Subscriber 
> Certificates utilizing the SHA-1 algorithm with an Expiry Date greater 
> than 1 January 2017 because Application Software Providers are in the 
> process of deprecating and/or removing the SHA-1 algorithm from their 
> software, and they have communicated that CAs and Subscribers using 
> such certificates do so at their own risk. _
>
> B. In Appendix A of the Baseline Requirements - Cryptographic 
> Algorithm and Key Requirements (Normative), add this note under Table 
> 2, Subordinate CA certificates:
>
> _* SHA-1 MAY be used with RSA keys in accordance with the criteria 
> defined in Section 9.4.2. _
>
> And amend this note at the end of each of the 3 tables.
>
> * SHA-1 MAY be used with RSA keys in accordance with _the criteria 
> defined in Section 9.4.2_ until SHA-256 is supported widely by 
> browsers used by a substantial portion of relying-parties worldwide.
>
> -- Motion Ends --
>
> The review period for this ballot shall commence at 2200 UTC on 
> Thursday, 2 October 2014, and will close at 2200 UTC on Thursday, 9 
> October 2014. Unless the motion is withdrawn during the review period, 
> the voting period will start immediately thereafter and will close at 
> 2200 UTC on Thursday, 16 October 2014. Votes must be cast by posting 
> an on-list reply to this thread. A vote in favor of the motion must 
> indicate a clear 'yes' in the response. A vote against must indicate a 
> clear 'no' in the response. A vote to abstain must indicate a clear 
> 'abstain' in the response. Unclear responses will not be counted. The 
> latest vote received from any representative of a voting member before 
> the close of the voting period will be counted. Voting members are 
> listed here: https://cabforum.org/members/ In order for the motion to 
> be adopted, two thirds or more of the votes cast by members in the CA 
> category and greater than 50% of the votes cast by members in the 
> browser category must be in favor. Quorum is currently nine (9) 
> members-- at least nine members must participate in the ballot, either 
> by voting in favor, voting against, or abstaining.
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141010/fb65e963/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3653 bytes
Desc: S/MIME Cryptographic Signature
Url : https://cabforum.org/pipermail/public/attachments/20141010/fb65e963/attachment.bin 


More information about the Public mailing list