md-distro - Re: [md-distro] MS announcement
Subject: Metadata Distribution Subcommittee of TAC
List archive
- From: Ian Young <>
- To:
- Subject: Re: [md-distro] MS announcement
- Date: Sat, 23 Nov 2013 21:14:36 +0000
On 21 Nov 2013, at 18:24, Cantor, Scott
<>
wrote:
> On 11/21/13, 1:21 PM, "Tom Scavo"
> <>
> wrote:
>
>> Why do they only call out root CAs? Why not intermediate CAs and end
>> entities as well?
>
> It's not just roots, but their leverage is with the root CA program
> because they can dictate policy as a condition of being in the root store.
> They're telling the roots they won't be allowed to issue certs with SHA-1
> after that date.
>
> If that's all they're really doing, this doesn't really affect much on the
> federation side. The hitch is that it's not clear yet if this is really
> all they're doing.
Microsoft are very, very slow to block out anything that might hack off any
of their corporate customers. "Legacy" is very much in their DNA.
I don't think we would expect MS to invalidate certificates CAs had already
issued, so I think it's pretty unlikely that they will bring the hammer down
on SHA-1 completely until some years after the 1-Jan-2016 cutoff for the
roots. Allowing the normal certificate issuance period of three years after
the day before they change the rule would means Dec-2018/Jan-2019, five years
after NIST's "disallowed" date.
Just a guess, of course.
-- Ian
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- [md-distro] MS announcement, Cantor, Scott, 11/21/2013
- Re: [md-distro] MS announcement, Tom Scavo, 11/21/2013
- Re: [md-distro] MS announcement, Cantor, Scott, 11/21/2013
- Re: [md-distro] MS announcement, Ian Young, 11/23/2013
- Re: [md-distro] MS announcement, Cantor, Scott, 11/21/2013
- Re: [md-distro] MS announcement, Tom Scavo, 11/21/2013
Archive powered by MHonArc 2.6.16.