[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certif icates

realsky(CHT) realsky at cht.com.tw
Sat Feb 4 03:42:36 UTC 2017

-----Original message-----
From:Ryan Sleevi via Public<public at cabforum.org>
To:Geoff Keating<geoffk at apple.com>
Cc:Ryan Sleevi<sleevi at google.com>,CA/Browser Forum Public Discussion List<public at cabforum.org>
Date: Sat, 04 Feb 2017 09:37:51
Subject: Re: [cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

On Fri, Feb 3, 2017 at 4:35 PM, Geoff Keating <geoffk at apple.com> wrote:
Weren’t most of the long-lived certificates that caused problems those issued before the current limit of ~3 years?  

Nope, not in our experience. I'm hoping Jody can share his graph, but much of our 'breakage' experience was from sites where the CA waited to stop issuing SHA-1 certs until it was explicitly forbidden - that is, they did not even default to SHA-256, or made it considerably *more* difficult for their customers to obtain SHA-256 signed certs

Ryan, You said you hope Jody can share his graph. Do you mean the discussion in last Fall Redmond F2F meeting as the minute below in Mozilla's news section?

Side note based on comments from Microsoft
•MS shows 20M sites with SHA-1 where as FF counts traffic
•Why do this now vs. waiting a year, that’s the rush?
•Wants to work with other browsers on timing. Google might have different pain thresholds. Goal is to figure out we get proper user feedback and that stakeholders are not screaming.

The no-SHA-1 requirement came in force January 2016 - not 2015. We passed the Ballot in 2015, following Microsoft's announced deprecation in Nov 12, 2013 - https://technet.microsoft.com/en-us/library/security/2880823.aspx

The SHA-1 sunset ballot was passed on 16 October 2014, not 2015. 
Please see 

I think most CAs offer their cusomers to migrate SHA-1 SSL certificates to SHA 256 SSL certificates for free. Try their best to call out and e-mail to the customers to encourage them.   

Sincerely Yours,

      Li-Chun Chen
     Chunghwa Telecom Co. Ltd.

Public mailing list
Public at cabforum.org

本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任. 
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170204/4a53c8e4/attachment-0003.html>

More information about the Public mailing list