Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Status

This report is for INFORMATION regarding migration to SHA2 and end of contract preparations. 

Information for TTC Members

Moves by Microsoft and Google made it essential in a short time period to migrate the current TCS to using SHA2 rather than introducing this in the new DigiCert service as planned.  A news item has been released and information is available on the TCS pages.  Further information on the general issues is available online.  The following points should be noted:

  • SHA2 has been rolled out live and we have SHA-2 versions of all the SHA-2 subCAs corresponding to the TERENA SHA-1 subCAs. These sub CA's use intermediate chain CA certs that are completely different than those used in SHA-1. However the root certificates, hence the trust, has not changed.  Server / code signing certificate requests for SHA-2 and SHA-1 via Djangora and the Janet portal / other instances seem to be behaving as expected.
  • We have prepared a new CPS showing these changes - we are waiting for final sign-off from the PMA and then this will be published.
  • Any SHA-1 request with a date passed the deadline of 1st January 2017 will automatically flick to SHA-2 regardless. If a request CSR uses a SHA-2 hash, it also appears to generate a SHA256 certificate, even if the certificate expires before 2017.
  • There are some ongoing issues with requesting personal certificates due to issuer name problems.  We have distributed advice to the community on fixing these issues and have asked for feedback to be sent to the TCS list and to the Confusa developers.
  • We have advised that all eScience certificates requests should be SHA1 for now as SHA2 has been distributed through the IGTF framework, but since some controls are associated also with the issuer subCA name it might not be painless.  David Groep is actively working on this.  As eScience certificates are 13 months in duration, they should expire before the cut-off date of 1st January 2017 so it is not an issue.

There were some issues with the approach taken by Comodo (e.g. service was rolled out live rather than tested as planned) but we managed to trouble shoot these thanks to the intervention and hardwork of the TCS PMA. 

Nicole Harris is now in discussions with the TCS community regarding their needs for issued certificates beyond the end of the Comodo contract.  Comodo are contractually obliged to continue keep certificates valid and revokable but this needs to be carefully managed to ensure that expectations are met.