Saturday, December 14, 2013

SHA1 Deprecation–Information and Policy

Source -

Today Microsoft has announced a new policy for Certificate Authorities (CAs) that deprecates the use of the SHA1 algorithm in SSL and code signing certificates, in favor of SHA2. The policy affects CAs who are members of the Windows Root Certificate Program who issue publicly trusted certificates.  It will allow CAs to continue to issue SSL and code signing certificates until January 1 2016, and thereafter issue SHA2 certificates only.

SHA1 has been in use among CAs since the late 1990s, and today accounts for the overwhelming majority of SSL and code signing certificates in use today.  US NIST Guidance has counseled that SHA1 should not be trusted past January 2014 for the higher level of assurance communications over the US Federal Bridge PKI.  Common practice however has been to continue to issue SHA1-based certificates, and today SHA1 certificates account for over 98% of certificates issued worldwide. Recent advances in cryptographic attacks upon SHA1 lead us to the observation that industry cannot abide continued issuance of SHA1, but must instead transition to SHA2 certificates.

The deadlines in this SHA1 deprecation policy reflect Microsoft’s estimation of the seriousness of the threat from SHA1 attacks. Our primary goal is to protect the integrity of the Windows platform and Windows customers. We want to avoid a situation where customers are caught unprepared because of a sudden advance in hash collision attacks.  Without any other motivator for CAs to transition their customers to SHA2, when SHA1 becomes exploitable a sizable number of customers may be dependent on an insecure hash algorithm.

Read more at source -


Post a Comment

Popular Posts


Twitter Delicious Facebook Digg Stumbleupon Favorites More