As you all hopefully know by now, Microsoft released a security update that disallow the use of RSA keys with a key lenght below 1024 bits. And now there is a new important security advisor from MS with news on certificates in the platform.
This time they are issuing a recommendation to discontinue the use of SHA-1 as a hash algorithm in certificates. SHA-1 was published in 1995 and as we all know, a lot of things have happend in the IT industry since then. And considering that NIST recommended to move away from SHA-1 as early as 2005 we probably should have done this a long time ago. But as a matter of fact, up to 98% of the certificates in use today uses SHA-1 tells us that is not the case.
So how will this security advisory impact us? Well nothing will happen right away, it will take a couple of years before MS will stop the use of these certificates. But the SHA-1 deprecation policy says the following:
Will apply to Windows Vista and later, and Windows Server 2008 and later. (All supported OS)
CAs must stop issuing new SHA-1 SSL and Code Signing certs by 1 January 2016.
Windows will stop accepting SHA-1 end entity certificates by 1 january 2017. This means that all valid SHA-1 SSL certificates must be replaced at this date.
Code Signing Certificates
After 1 January 2016 Windows will stop accepting SHA-1 code signing certificates. But there will be an exception. If the signed code have a time stamp it will still be accepted until further notice. So the first step is to make sure that all code from now on should be time stamped when signed. And then you should issue a new code signing cert with SHA-2 as soon as possible.
Microsoft Root Certificate Program
Members in the Root Certificate Program will not be allowed to issue certificates using the SHA-1 hashing algoritm for the purpose of SSL and code signing after January 1 2016
MS Security Advisory 2880823 (http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2880823-recommendation-to-discontinue-use-of-sha-1.aspx)
The effect on Microsoft Root Certificate Program. (http://technet.microsoft.com/en-us/security/advisory/2880823)
Leave a Reply