Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] FW: [team] Microsoft, RC4 and SHA-1

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] FW: [team] Microsoft, RC4 and SHA-1


Chronological Thread 
  • From: Ann West <>
  • To: "" <>
  • Subject: [AD-Assurance] FW: [team] Microsoft, RC4 and SHA-1
  • Date: Tue, 12 Nov 2013 22:53:50 +0000
  • Accept-language: en-US
Hmmm…...


On 11/12/13 2:07 PM, "Joe St Sauver"
<>
wrote:

>Hi,
>
>Some of you (JCWK) may recall that I'd talked about submitting a talk for
>Educause/Internet2 security professionals talking about choice of crypto.
>That is, what cipher suites SHOULD you be using these days (including
>things like perfect forward secrecy).
>
>It's like Microsoft read my mind....
>
>Their actions today get them another gold star (although as Drew Carey
>used to say on "Who's Line Is It Anyway?" "the points don't matter").
>
>This time Microsoft's deprecating RC4 and SHA-1. See:
>
>http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-286872
>5-recommendation-to-disable-rc4.aspx
>
>The pie chart tells the story on this one:
>
>3.9% of Internet sites *require* RC4, 38.65% *prefer* RC4, and 57.45%
>are "not using" RC4.
>
>Microsoft deprecating RC4 has the potential to make a HUGE improvement
>in the quality of the crypto used on the Internet.
>
>See also:
>
>http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.
>aspx
>
>With respect to the SHA-1 policy I quote:
>
> Today Microsoft has announced a new policy for Certificate Authorities
> (CAs) that deprecates the use of the SHA1 algorithm in SSL and code
> signing certificates, in favor of SHA2. The policy affects CAs who are
> members of the Windows Root Certificate Program who issue publicly
> trusted certificates. It will allow CAs to continue to issue SSL and
> code signing certificates until January 1 2016, and thereafter issue
> SHA2 certificates only.
>
> SHA1 has been in use among CAs since the late 1990s, and today accounts
> for the overwhelming majority of SSL and code signing certificates in
> use today. US NIST Guidance has counseled that SHA1 should not be
> trusted past January 2014 for the higher level of assurance
> communications over the US Federal Bridge PKI. Common practice however
> has been to continue to issue SHA1-based certificates, and today SHA1
> certificates account for over 98% of certificates issued worldwide.
> Recent advances in cryptographic attacks upon SHA1 lead us to the
> observation that industry cannot abide continued issuance of SHA1, but
> must instead transition to SHA2 certificates.
>
>I plan to talk about this with Comodo during our call tomorrow.
>
>Thanks,
>
>Joe


Archive powered by MHonArc 2.6.16.

Top of Page