[cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016

Gervase Markham gerv at mozilla.org
Thu Oct 27 08:05:10 UTC 2016

On 26/10/16 21:40, Wayne Thayer via Public wrote:
> Moreover, without formal approval of this rule change, every CA that
> wishes to maintain SHA-1 OCSP signing capability is left with a
> dilemma - do I assume the ballot will eventually pass, or do I cram
> in a ceremony to create a long-lived SHA-1 responder certificate
> before the deadline?

Would a straw poll help to ease that fear? But three browsers already
support this, and I can't see many CAs opposing it.

> I accept that neither of these reasons amount to a crisis worthy of
> throwing the Forum rulebook out the window. I do think that the
> discussion has been helpful in highlighting what might be an
> inconsistency between the bylaws and the IPR policy, and to serve as
> an example of the problem with having a 50+ day balloting process.
> The current situation is unique, but I'll be surprised if it's the
> last time that we're looking for a way to "rush" through a ballot.

Quite so. See my points earlier about perhaps updating the process so
the formal vote happens beforehand, but the change is held in abeyance
pending the completion of IPR review. That way, CAs can at least have
certainty about what the vote result is, even if they don't have
certainty about what an IPR review might turn up.


More information about the Public mailing list