[cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016

Rob Stradling rob.stradling at comodo.com
Thu Oct 27 10:18:55 UTC 2016

On 27/10/16 09:05, Gervase Markham via Public wrote:
> On 26/10/16 21:40, Wayne Thayer via Public wrote:
>> Moreover, without formal approval of this rule change, every CA that
>> wishes to maintain SHA-1 OCSP signing capability is left with a
>> dilemma - do I assume the ballot will eventually pass, or do I cram
>> in a ceremony to create a long-lived SHA-1 responder certificate
>> before the deadline?
> Would a straw poll help to ease that fear? But three browsers already
> support this, and I can't see many CAs opposing it.

Please could we first establish precisely _why_ any CA needs to sign any
further OCSP responses or OCSP responder certs with SHA-1 ?

[See my question to Rick about old versions of Windows]

Depending on Rick's answer, I may have an alternative technical proposal
(that won't require further SHA-1 signatures).

If it turns out that there's no actual technical need for this ballot,
then I oppose it.

>> I accept that neither of these reasons amount to a crisis worthy of
>> throwing the Forum rulebook out the window. I do think that the
>> discussion has been helpful in highlighting what might be an
>> inconsistency between the bylaws and the IPR policy, and to serve as
>> an example of the problem with having a 50+ day balloting process.
>> The current situation is unique, but I'll be surprised if it's the
>> last time that we're looking for a way to "rush" through a ballot.
> Quite so. See my points earlier about perhaps updating the process so
> the formal vote happens beforehand, but the change is held in abeyance
> pending the completion of IPR review. That way, CAs can at least have
> certainty about what the vote result is, even if they don't have
> certainty about what an IPR review might turn up.
> Gerv

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list