[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certif icates

Ryan Sleevi sleevi at google.com
Sat Feb 4 03:53:37 UTC 2017

On Fri, Feb 3, 2017 at 7:42 PM, realsky(CHT) <realsky at cht.com.tw> wrote:

> ===>
> Ryan, You said you hope Jody can share his graph. Do you mean the
> discussion in last Fall Redmond F2F meeting as the minute below in
> Mozilla's news section?
> https://cabforum.org/2016/10/19/2016-10-19-20-f2f-meeting-
> 39-minutes/#Mozilla
> Side note based on comments from Microsoft
> •MS shows 20M sites with SHA-1 where as FF counts traffic
> •Why do this now vs. waiting a year, that’s the rush?
> •Wants to work with other browsers on timing. Google might have different
> pain thresholds. Goal is to figure out we get proper user feedback and that
> stakeholders are not screaming.

There were several graphs, but one of them examined the validity period of
the certificates they were seeing; that is, when do these certs naturally

As captured in the remark, the point was "Too many valid certs out there"
that were causing discomfort in disabling SHA-1, which would break them.

> The no-SHA-1 requirement came in force January 2016 - not 2015. We passed
> the Ballot in 2015, following Microsoft's announced deprecation in Nov 12,
> 2013 - https://technet.microsoft.com/en-us/library/security/2880823.aspx
> ==>
> The SHA-1 sunset ballot was passed on 16 October 2014, not 2015.
> Please see
> https://cabforum.org/2014/10/16/ballot-118-sha-1-sunset/

Thanks; an unintentional typo but that still highlights it took a year for
the Forum to agree (even after a root program required it), and it took 2
years and some change before browsers disabled it, and it *still* broke
(and breaks) a number of sites.

> I think most CAs offer their cusomers to migrate SHA-1 SSL certificates to
> SHA 256 SSL certificates for free. Try their best to call out and e-mail to
> the customers to encourage them.

A number of CAs had trouble. I think
https://github.com/konklone/shaaaaaaaaaaaaa/issues/24 - a site Eric Mill
put together when Chrome made the UI changes - is a pretty telling example
of CAs not being as prepared as they otherwise suggested. More importantly,
it highlights that changes didn't happen until they were forced - and a
number of customers who actively wanted to be more secure were prevented by
the insecure practices and defaults of a number of CAs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170203/d92996b8/attachment-0003.html>

More information about the Public mailing list