Meeting the InCommon Assurance profile criteria using Active Directory

["Capehart,Jeffrey D" <>]

I'm glad the SHA-1 issue is being discussed because for many institutions 
using the Comodo certs, they can't achieve Silver with the SHA-1 signed SSL 
certificates after 12/31/2013.  So, it wasn't clear if an institution would 
be "OK" if their certificate issue date was before 12/31/13 or if their 
certificates were not SHA-1 after 12/31/13.  That is, can you get 
grandfathered in with a certificate and meet Silver, or do you have to get 
all new certificates?

The RC4 discussion seems to put the lid on any potential alternative means 
for Active Directory, NTLM, Syskey, etc, so hopefully the "out-of-scope 
approach" will be workable.

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Ann West
Sent: Tuesday, November 12, 2013 5:54 PM
To: 

Subject: [AD-Assurance] FW: [team] Microsoft, RC4 and SHA-1

Hmmm…...


On 11/12/13 2:07 PM, "Joe St Sauver" 
<>
 wrote:

>Hi,
>
>Some of you (JCWK) may recall that I'd talked about submitting a talk 
>for
>Educause/Internet2 security professionals talking about choice of crypto.
>That is, what cipher suites SHOULD you be using these days (including 
>things like perfect forward secrecy).
>
>It's like Microsoft read my mind....
>
>Their actions today get them another gold star (although as Drew Carey 
>used to say on "Who's Line Is It Anyway?" "the points don't matter").
>
>This time Microsoft's deprecating RC4 and SHA-1. See:
>
>http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-286
>872
>5-recommendation-to-disable-rc4.aspx
>
>The pie chart tells the story on this one:
>
>3.9% of Internet sites *require* RC4, 38.65% *prefer* RC4, and 57.45% 
>are "not using" RC4.
>
>Microsoft deprecating RC4 has the potential to make a HUGE improvement 
>in the quality of the crypto used on the Internet.
>
>See also:
>
>http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.
>aspx
>
>With respect to the SHA-1 policy I quote:
>
>  Today Microsoft has announced a new policy for Certificate 
> Authorities
>  (CAs) that deprecates the use of the SHA1 algorithm in SSL and code  
> signing certificates, in favor of SHA2. The policy affects CAs who are  
> members of the Windows Root Certificate Program who issue publicly  
> trusted certificates.  It will allow CAs to continue to issue SSL and  
> code signing certificates until January 1 2016, and thereafter issue
>  SHA2 certificates only.
>  
>  SHA1 has been in use among CAs since the late 1990s, and today 
> accounts  for the overwhelming majority of SSL and code signing 
> certificates in  use today.  US NIST Guidance has counseled that SHA1 
> should not be  trusted past January 2014 for the higher level of 
> assurance  communications over the US Federal Bridge PKI.  Common 
> practice however  has been to continue to issue SHA1-based 
> certificates, and today SHA1  certificates account for over 98% of 
> certificates issued worldwide.
>  Recent advances in cryptographic attacks upon SHA1 lead us to the  
> observation that industry cannot abide continued issuance of SHA1, but  
> must instead transition to SHA2 certificates.
>
>I plan to talk about this with Comodo during our call tomorrow.
>
>Thanks,
>
>Joe