On 23/03/2016 18:26, Jeremy Rowley wrote:
What about code signing and s/MIME certs? Code signing is still used by MS
for legacy software until Jan 2017.
Wrong date, Wrong data.
Until Jan 2017, the Microsoft systems that accept SHA-256 code signing
and associated (logically unrelated, but practically related) code
signing features, will accept new time stamp authority signatures made
using SHA-1, however those systems already refuse new code signing
signatures made using SHA-1 after Jan 2016 (but see 2 paragraphs
below)
For an *unlimited* time, the Microsoft Operating Systems for which they
have refused to provide the updated code signing features will
continue to *require* that the first in an ordered set of code signing
signatures on a file is created exclusively using SHA-1 or MD5. This
requirement is the reason the major CAs have set up various subCAs that
issue code signing X.509 certificates AND time stamp authority
signatures acceptable to this old verification code.
For an *unlimited* time, the Microsoft Operating Systems with the new
features will allow files to carry multiple signatures in an ordered
set (similar but not identical to how the jar file standard used by
Mozilla extensions allows multiple signatures via multiple signature
file names). In all but one (annoying) case these systems will accept
a file as long as at least one signature is good enough for the then
current criteria.
For an *unlimited* time, an unspecified set of 3rd party systems will
also insist on SHA-1 certificates for various uses where broken SHA-1
is still better than nothing. In most cases this is limited only by
the physical hardware lifetime (consider the recent request from a
payment provider that had failed to obtain a 2015 certificate for
talking to a minority of hardware scheduled for later replacement, then
consider less security critical uses where the associated hardware
would not be updated just to allow the central system to switch to a
better algorithm).
-----Original Message-----
From: dev-security-policy
[mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla
.org] On Behalf Of [email protected]
Sent: Tuesday, March 22, 2016 10:49 AM
To: [email protected]
Subject: Re: Drafting Q1 2016 CA Communication
On Tuesday, March 22, 2016 at 9:33:19 AM UTC-7, [email protected] wrote:
The following 'ACTION #1c' has been added to the communication, which is
here:
https://wiki.mozilla.org/CA:Communications#March_2016
and click on "Link to DRAFT of March 2016 CA Communication".
Also, I have filled in proposed dates, assuming I send the communication
next week.
I used two dates...
April 22,2016 -- the date by which CAs must enter their initial response to
this communication into the CA Community in Salesforce.
June 30, 2016 -- the date by which CAs must take the requested actions:
enter intermediate cert data into the CA Community in Salesforce, and stop
issuing certs with the problems listed in ACTION #4.
I would especially like to hear from CAs in regards to if these dates are
reasonable.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
