Metadata Distribution Subcommittee of TAC

[Ian Young <>]

On 21 Nov 2013, at 18:24, Cantor, Scott 
<>
 wrote:

> On 11/21/13, 1:21 PM, "Tom Scavo" 
> <>
>  wrote:
> 
>> Why do they only call out root CAs? Why not intermediate CAs and end
>> entities as well?
> 
> It's not just roots, but their leverage is with the root CA program
> because they can dictate policy as a condition of being in the root store.
> They're telling the roots they won't be allowed to issue certs with SHA-1
> after that date.
> 
> If that's all they're really doing, this doesn't really affect much on the
> federation side. The hitch is that it's not clear yet if this is really
> all they're doing.

Microsoft are very, very slow to block out anything that might hack off any 
of their corporate customers. "Legacy" is very much in their DNA.

I don't think we would expect MS to invalidate certificates CAs had already 
issued, so I think it's pretty unlikely that they will bring the hammer down 
on SHA-1 completely until some years after the 1-Jan-2016 cutoff for the 
roots. Allowing the normal certificate issuance period of three years after 
the day before they change the rule would means Dec-2018/Jan-2019, five years 
after NIST's "disallowed" date.

Just a guess, of course.

        -- Ian

Attachment: smime.p7s
Description: S/MIME cryptographic signature