On 09/03/16 19:03, Yuhong Bao wrote:
I know of one blocker: Microsoft. Their TechNet article at aka.ms/sha1 says 
that CAs are allowed to use SHA-1 and SHA-2 for OCSP signing certs and OCSP 
responses, to allow continued support for XP SP1 and 2, and Server 2003. Using 
SHA-2 only for OCSP signing certs and OCSP responses will break those platforms.

I don't think XP supports OCSP at all.                                  

XP doesn't support OCSP out of the box, but CryptoAPI does support third-party revocation providers (some of which use OCSP and perhaps don't support SHA-2). I'd like to think that the number of users of such revocation providers is statistically insignificant by now though.

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
dev-security-policy mailing list

Reply via email to