[cabfpub] LV Certificates - Counterproposal

Phillip Hallam-Baker philliph at comodo.com
Mon Dec 21 08:24:24 MST 2015 

+1 

If we are serious about Internet security we have to be very careful about making and changing decisions. I thought the original schedule to deprecate SHA-1 something of an over-reaction. Had my advice been taken, deployment of SHA-2 would have begun much earlier than it did and with an upgrade path that allowed for a less disruptive introduction. But the decisions were made and we told the Internet world what they are. We should not change them without an exceptionally good reason that wasn’t known at the time they were taken.

A lot of customers have made the switch at significant expense to them. Today is the winter solstice. We are already at years end as far as regular business goes. 


Rather than making this change, I suggest that the browser vendors begin deploying SHA3 code in the browsers so that we don’t get into the same situation again should SHA2 become a matter of concern.



> On Dec 21, 2015, at 6:29 AM, Sigbjørn Vik <sigbjorn at opera.com> wrote:
> 
> Hi CloudFlare and Facebook,
> 
> At Opera we share your concern about the wellbeing of the web. We too
> want information to be accessible to as many as possible. We also want
> this information to be securely accessible, so we are deeply sceptical
> of any ballots that reduce the security of the web in any way, including
> this one. Let us instead offer a counterproposal.
> 
> For a significant part of the users referenced in the ballot, free
> upgrade paths already exist, so we believe these users do not need any
> further action from us. Some users may not be able to use their device
> on tomorrow's web though. We are eagerly awaiting your statistics on
> this. Most likely this will be for very limited devices.
> 
> For example, Opera Mini is a technology which has minimal client
> requirements such as RAM and CPU, and works independently of the root
> store and cryptographic capabilities of the device. All that is required
> is the ability to install a networked app, and it runs on a host of such
> limited devices already. If this ballot should fail, and you are still
> concerned about your users, get in touch with us, and I am sure our Mini
> team could quickly release a version that restores gives full access to
> your services.
> 
> Other solutions than LV exist, whether with Opera, or other companies.
> 
> On 18-Dec-15 23:21, Jeremy Rowley wrote:
>> Hi everyone,
>> 
>> 
>> 
>> Attached is a proposal from Cloudflare and Facebook creating LV
>> certificates in the baseline requirements.  This is a draft ballot for
>> review that will, of course, change based on the debate in the forum.
>> Although CAs will stop issuing SHA-1 on 2016/1/1, there isn’t any reason
>> these changes couldn’t go into effect in early January (assuming a
>> passing vote).
>> 
>> 
>> 
>> If adopted, this ballot would permit continued use of SHA1 certificates
>> past the deprecation deadline (to support older devices) but give newer
>> browsers an easy way to reject SHA1 for users.  The ballot also
>> increases the resiliency of SHA1 certs against attacks by requiring
>> higher entropy serial numbers.
>> 
>> 
>> 
>> I look forward to your comments.
>> 
>> 
>> 
>> Thanks,
>> 
>> Jeremy
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>> 
> 
> 
> -- 
> Sigbjørn Vik
> Opera Software
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list