Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] RE: [team] Microsoft, RC4 and SHA-1

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] RE: [team] Microsoft, RC4 and SHA-1


Chronological Thread 
  • From: "Capehart,Jeffrey D" <>
  • To: "" <>
  • Subject: [AD-Assurance] RE: [team] Microsoft, RC4 and SHA-1
  • Date: Wed, 13 Nov 2013 16:15:16 +0000
  • Accept-language: en-US

I'm glad the SHA-1 issue is being discussed because for many institutions
using the Comodo certs, they can't achieve Silver with the SHA-1 signed SSL
certificates after 12/31/2013. So, it wasn't clear if an institution would
be "OK" if their certificate issue date was before 12/31/13 or if their
certificates were not SHA-1 after 12/31/13. That is, can you get
grandfathered in with a certificate and meet Silver, or do you have to get
all new certificates?

The RC4 discussion seems to put the lid on any potential alternative means
for Active Directory, NTLM, Syskey, etc, so hopefully the "out-of-scope
approach" will be workable.

-----Original Message-----
From:


[mailto:]
On Behalf Of Ann West
Sent: Tuesday, November 12, 2013 5:54 PM
To:

Subject: [AD-Assurance] FW: [team] Microsoft, RC4 and SHA-1

Hmmm…...


On 11/12/13 2:07 PM, "Joe St Sauver"
<>
wrote:

>Hi,
>
>Some of you (JCWK) may recall that I'd talked about submitting a talk
>for
>Educause/Internet2 security professionals talking about choice of crypto.
>That is, what cipher suites SHOULD you be using these days (including
>things like perfect forward secrecy).
>
>It's like Microsoft read my mind....
>
>Their actions today get them another gold star (although as Drew Carey
>used to say on "Who's Line Is It Anyway?" "the points don't matter").
>
>This time Microsoft's deprecating RC4 and SHA-1. See:
>
>http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-286
>872
>5-recommendation-to-disable-rc4.aspx
>
>The pie chart tells the story on this one:
>
>3.9% of Internet sites *require* RC4, 38.65% *prefer* RC4, and 57.45%
>are "not using" RC4.
>
>Microsoft deprecating RC4 has the potential to make a HUGE improvement
>in the quality of the crypto used on the Internet.
>
>See also:
>
>http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.
>aspx
>
>With respect to the SHA-1 policy I quote:
>
> Today Microsoft has announced a new policy for Certificate
> Authorities
> (CAs) that deprecates the use of the SHA1 algorithm in SSL and code
> signing certificates, in favor of SHA2. The policy affects CAs who are
> members of the Windows Root Certificate Program who issue publicly
> trusted certificates. It will allow CAs to continue to issue SSL and
> code signing certificates until January 1 2016, and thereafter issue
> SHA2 certificates only.
>
> SHA1 has been in use among CAs since the late 1990s, and today
> accounts for the overwhelming majority of SSL and code signing
> certificates in use today. US NIST Guidance has counseled that SHA1
> should not be trusted past January 2014 for the higher level of
> assurance communications over the US Federal Bridge PKI. Common
> practice however has been to continue to issue SHA1-based
> certificates, and today SHA1 certificates account for over 98% of
> certificates issued worldwide.
> Recent advances in cryptographic attacks upon SHA1 lead us to the
> observation that industry cannot abide continued issuance of SHA1, but
> must instead transition to SHA2 certificates.
>
>I plan to talk about this with Comodo during our call tomorrow.
>
>Thanks,
>
>Joe




Archive powered by MHonArc 2.6.16.

Top of Page