[cabfpub] Ballot 152 - Issuance of SHA-1 certificates through 2016)

Ryan Sleevi sleevi at google.com
Mon Oct 19 12:56:42 MST 2015


On Mon, Oct 19, 2015 at 12:48 PM, Dean Coclin <Dean_Coclin at symantec.com>
wrote:

> Despite this latest news and the withdrawal of the current ballot, I have
> heard increasing calls from very large enterprises (Fortune 50) and
> Governments that state the issue previously described, that is, the problem
> in replacing high numbers of SHA1 certs before Dec 31 2015, doesn't go
> away.
>
> Two issues which they feel have not adequately been described in threat
> models:
>
> 1. The prohibition of issuing SHA1 certs after Dec 31, 2015 that still
> expire by the existing deadline (Dec 31, 2016).
>

I'm not sure I follow what you're requesting here. I can see several ways
of interpreting this:

1) Proponents of SHA-1 certificates do not feel they adequately understand
why such issuance is prohibited beginning Jan 1, 2016.
2) Proponents of SHA-1 certificates do not feel they adequately understand
why such issuance is prohibited beginning Jan 1, 2016 when existing
certificates are allowed to have validity periods carrying on past that
date.
3) Other

Could you clarify?


> 2. The prohibition of issuing non-browser based SHA-1 certs beyond Dec 31,
> 2015.  This appears to be a huge issue, the scope of which is still being
> quantified. (Some may say that they shouldn't have been issuing from public
> roots but this started way before the CA/B Forum)


To make sure I understand, is it fair to restate this as "Proponents of
SHA-1 issuance do not understand why it is prohibited beginning Jan 1, 2016
for certificates that are used for SSL/TLS but not used within browser
environments"?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20151019/7349bac9/attachment.html 


More information about the Public mailing list