Microsoft Deprecating Certificates Using SHA-1 Starting 2016

Microsoft Security Research & Defense just published a blog post on Security Advisory 2880823: Recommendation to discontinue use of SHA-1.The original security advisory can be found here.

It outlines a new Microsoft policy which states that certificates issued after January 1 2016 will not be considered valid if they use the SHA-1 hash algorithm.

Specifically, regarding TLS server certificates, they will no longer be considered valid if they use SHA-1 after January 1 2017. Any existing server certificates using SHA-1 will need to be replaced before then.

Regarding code signing certificates and signed code, there’s less time to act. Existing binaries signed with a code signing certificate using SHA-1, and which have not been signed with a time stamp, will no longer be considered valid after January 1 2016. There is an unspecified grace period for time stamped signed binaries, but it is probably safest to both replace existing SHA-1 code signing certificates and re-sign existing signed code before 2016. In any case it is certainly a good idea to start time stamping your code during the code signing process if you are not already doing so.

At the moment it isn’t entirely clear how this affects Swedish Citizen Ids as they are not issued under the Windows Root Certificate Program. It also remains to be seen how other players like Apple, Google and the Mozilla Foundation choose to respond.

More information on the new Microsoft policy for Certificate Authorities which is referred to in the security advisory can be found here. The updated technical requirements for the Windows Root Certificate Program can be found here.


Nästa inlägg ("Ayoy Joins OpenID Foundation") >>
<< Tidigare inlägg ("E-legitimationsnämnden publicerar pris")
Share This:    
Oscar Jacobsson

Oscar har arbetat med elektronisk identifiering sedan 1995, och med e-legitimationer sedan 2002. 2010 grundade han Ayoy tillsammans med John Allberg.