[cabfpub] FW: Ballot - expiration of SHA1 certificates

Ryan Sleevi sleevi at google.com
Fri Sep 5 16:07:58 MST 2014 

Hi Tom,

We would be happy to endorse.
On Sep 5, 2014 3:47 PM, "Tom Albertson" <tomalb at microsoft.com> wrote:

>  Hi there,
>
>
>
> I have produced a ballot for discussion, which aligns the Baseline
> Requirements (v1.1.9)  with the planned deprecation of SHA-1.   This ballot
> uses the dates in the Microsoft SHA-1 deprecation policy
> <http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx>
> as a reference, and right now only addresses SSL certs.  I think we can
> offer similar language for code signing certs and possibly other BRs once
> we have hashed this out for SSL.
>
>
>
> New text appears as *red underlined*.   A small amount of text in
> Appendix A is proposed for deletion (black strikethrough)  The amendments
> relate mainly to Section 9.4 Validity Period, with minor conforming changes
> to Appendix A.
>
>
>
> Special thanks to Ben and Gerv and others, who already struggled through
> this issue in March 2014, that ballot discussion was most instructive.  I
> have made no efforts to collaborate with other Forum members on this issue
> except to go back and forth with Kelvin and Aaron here at Microsoft on the
> best text to offer to represent the Microsoft policy.
>
>
>
> Your comments and questions are appreciated, and ultimately we could use
> an endorser or two of the ballot measure.
>
>
>
> Thanks,
>
> Tom
>
>
>
> *Ballot NNN –expirations of SHA1 certificates (FINAL VERSION)*
>
>
>
>
>
> *9.4 Validity Period*
>
>
>
> *9.4.1 Subscriber Certificates*
>
> Subscriber Certificates issued after the Effective Date MUST have a
> Validity Period no greater than 60 months.
>
>
>
> Except as provided for below, Subscriber Certificates issued after 1 April
> 2015 MUST have a Validity Period no
>
> greater than 39 months.
>
>
>
>
> *Effective 1 November 2014, CAs MUST NOT issue Subscriber Certificates
> utilizing the SHA-1 algorithm with an Expiry Date greater than 1 January
> 2017.*
>
>
>
> *Except as provided for below, effective 1 January 2016, CAs MUST NOT
> issue Subscriber Certificates that utilize the SHA-1 algorithm.*
>
>
>
>
> *Effective* 1 April 2015, CAs MAY continue to issue Subscriber
> Certificates with a Validity Period greater than 39
>
> months but not greater than 60 months provided that the CA documents that
> the Certificate is for a system or
>
> software that:
>
> (a) was in use prior to the Effective Date;
>
> (b) is currently in use by either the Applicant or a substantial number of
> Relying Parties;
>
> (c) fails to operate if the Validity Period is shorter than 60 months;
>
> (d) does not contain known security risks to Relying Parties; and
>
> (e) is difficult to patch or replace without substantial economic outlay.
>
>
>
>
>
> *9.4.2 Root CA Certificates*
>
>
>
> *The SHA-1 deprecation policy and Validity Dates DO NOT apply to Root CA
> certificates.  CAs MAY continue to use their existing SHA-1 Root
> Certificates.  **CAs MUST use SHA-2 or successor hash algorithms to sign
> any Subscriber certificates, Subordinate CA certificates, and CRLs
> effective 1 January 2016.*
>
>
>
>
>
> *9.4.3 Subordinate CA Certificates*
>
>
>
> *Effective 1 January 2016, CAs MUST NOT issue Subordinate CA Certificates
> that utilize the SHA-1 algorithm.  CAs MUST NOT issue SHA-2 Subscriber
> certificates under SHA-1 Subordinate CA Certificates.*
>
>
>
>
>
> *Appendix A - Cryptographic Algorithm and Key Requirements (Normative)*
>
>>
>
>
> Add this note under Table 2, Subordinate CA certificates:
>
>
>
> ** SHA-1 MAY be used with RSA keys in accordance with the criteria defined
> in Section 9.4.3.*
>
>
>
> And amend this note at the end of the 3 tables.
>
>
>
> * SHA-1 MAY be used with RSA keys *in accordance with the criteria
> defined in Section 9.4.1  *until SHA-256 is supported widely by browsers
> used by a substantial
>
> portion of relying-parties worldwide.
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140905/697ddc24/attachment-0001.html

More information about the Public mailing list