On 09/03/16 19:03, Yuhong Bao wrote:
I know of one blocker: Microsoft. Their TechNet article at aka.ms/sha1 says
that CAs are allowed to use SHA-1 and SHA-2 for OCSP signing certs and OCSP
responses, to allow continued support for XP SP1 and 2, and Server 2003. Using
SHA-2 only for OCSP signing certs and OCSP responses will break those platforms.
I don't think XP supports OCSP at all.
XP doesn't support OCSP out of the box, but CryptoAPI does support
third-party revocation providers (some of which use OCSP and perhaps
don't support SHA-2). I'd like to think that the number of users of
such revocation providers is statistically insignificant by now though.
Senior Research & Development Scientist
COMODO - Creating Trust Online
dev-security-policy mailing list