[cabfpub] Ballot 118 - SHA1 Sunset

Doug Beattie doug.beattie at globalsign.com
Fri Oct 10 16:35:51 UTC 2014


Hi Kelvin,

 

I was one of the CAs pushing back on this ballot, but since the date was
moved from November to January, we support the ballot with MUST statements.

 

I'll let you work out next steps with Ben - update and re-submit the ballot
or let it go as it stands.


Doug

 

From: Kelvin Yiu [mailto:kelviny at exchange.microsoft.com] 
Sent: Friday, October 10, 2014 12:30 PM
To: Doug Beattie; public at cabforum.org
Subject: RE: [cabfpub] Ballot 118 - SHA1 Sunset

 

Thanks for catching this Doug. From a Microsoft policy point of view, both
of the following should be "MUST NOT" instead of "SHOULD NOT":

 

1.     SHA-2 Subscriber certificates SHOULD NOT chain up to a SHA-1
Subordinate CA Certificate

2.     CAs SHOULD NOT issue Subscriber Certificates utilizing the SHA-1
algorithm with an Expiry Date greater than 1 January 2017

 

>From what I recall, Tom said Ben Wilson administratively changed the MUST
NOT to SHOULD NOT because he thought some CAs may need the extra time to
transition, but that applies only to #2. For #1, SHA-2 EE certificates MUST
NOT chain up to a SHA1 subordinate CA certificate. 

 

Kelvin

 

From: Doug Beattie [mailto:doug.beattie at globalsign.com] 
Sent: Thursday, October 9, 2014 1:10 PM
To: Kelvin Yiu; public at cabforum.org <mailto:public at cabforum.org> 
Subject: RE: [cabfpub] Ballot 118 - SHA1 Sunset

 

Hi Kelvin,

 

This ballot says CAs "SHOULD NOT" issue SHA-1 SSL certificates that are
valid into 2017.  Is that what you had intended, or did you mean to say
"MUST NOT"?  As currently worded, CAs can continue to issue them (RFC 2119
defines SHOULD as RECOMMENDED, but not required).  At the F2F I was under
the impression CAs MUST comply with these new rules, but maybe I missed
something.

 

Will the Microsoft Root agreement policy be updated to reflect SHOULD, MUST,
or are there no planned changes? Tom was pushing to add MUST to the
Microsoft root policy earlier.

 

Doug

 

From: public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>
[mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Thursday, October 2, 2014 3:56 PM
To: CABFPub
Subject: [cabfpub] Ballot 118 - SHA1 Sunset

 

Ballot 118 - SHA1 Sunset 

Kelvin Yiu of Microsoft made the following motion, and Kirk Hall from Trend
Micro and Ryan Sleevi from Google have endorsed it. 

Reason for Ballot 

Over the last year or two, several application software providers have
announced deprecation of the SHA-1 algorithm in their software. 

-- Motion Begins -- 

A. In the Baseline Requirements, insert the following new section 9.4.2: 

9.4.2 SHA-1 Validity Period 

Effective 1 January 2016, CAs MUST NOT issue any new Subscriber certificates
or Subordinate CA certificates using the SHA-1 hash algorithm. CAs MAY
continue to sign certificates to verify OCSP responses using SHA1 until 1
January 2017. This Section 9.4.2 does not apply to Root CA or CA cross
certificates. CAs MAY continue to use their existing SHA-1 Root
Certificates. SHA-2 Subscriber certificates SHOULD NOT chain up to a SHA-1
Subordinate CA Certificate. 

Effective 16 January 2015, CAs SHOULD NOT issue Subscriber Certificates
utilizing the SHA-1 algorithm with an Expiry Date greater than 1 January
2017 because Application Software Providers are in the process of
deprecating and/or removing the SHA-1 algorithm from their software, and
they have communicated that CAs and Subscribers using such certificates do
so at their own risk. 

B. In Appendix A of the Baseline Requirements - Cryptographic Algorithm and
Key Requirements (Normative), add this note under Table 2, Subordinate CA
certificates: 

* SHA-1 MAY be used with RSA keys in accordance with the criteria defined in
Section 9.4.2. 

And amend this note at the end of each of the 3 tables. 

* SHA-1 MAY be used with RSA keys in accordance with the criteria defined in
Section 9.4.2 until SHA-256 is supported widely by browsers used by a
substantial portion of relying-parties worldwide. 

-- Motion Ends -- 

The review period for this ballot shall commence at 2200 UTC on Thursday, 2
October 2014, and will close at 2200 UTC on Thursday, 9 October 2014. Unless
the motion is withdrawn during the review period, the voting period will
start immediately thereafter and will close at 2200 UTC on Thursday, 16
October 2014. Votes must be cast by posting an on-list reply to this thread.
A vote in favor of the motion must indicate a clear 'yes' in the response. A
vote against must indicate a clear 'no' in the response. A vote to abstain
must indicate a clear 'abstain' in the response. Unclear responses will not
be counted. The latest vote received from any representative of a voting
member before the close of the voting period will be counted. Voting members
are listed here: https://cabforum.org/members/ In order for the motion to be
adopted, two thirds or more of the votes cast by members in the CA category
and greater than 50% of the votes cast by members in the browser category
must be in favor. Quorum is currently nine (9) members- at least nine
members must participate in the ballot, either by voting in favor, voting
against, or abstaining. 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141010/5730eb7b/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5615 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141010/5730eb7b/attachment-0001.p7s>


More information about the Public mailing list