Ballot 118 – SHA-1 Sunset (passed)

Ballot overview

• Ballot 118, SHA-1 Sunset, passed.
• The ballot was in the Server Certificate Working Group.
• Voting closed on 16 October 2014.
• The review period ran from 2 October 2014 at 2200 UTC to 9 October 2014 at 2200 UTC, and voting closed at 2200 UTC on Thursday, 16 October 2014.

What the ballot changed

• The motion added a new Baseline Requirements section 9.4.2, SHA-1 Validity Period.
• Effective 1 January 2016, CAs must not issue any new Subscriber certificates or Subordinate CA certificates using the SHA-1 hash algorithm.
• CAs may continue to sign certificates to verify OCSP responses using SHA1 until 1 January 2017.
• The section does not apply to Root CA or CA cross certificates.
• CAs may continue to use their existing SHA-1 Root Certificates.
• SHA-2 Subscriber certificates should not chain up to a SHA-1 Subordinate CA Certificate.
• Effective 16 January 2015, CAs should not issue Subscriber Certificates using SHA-1 with an expiry date greater than 1 January 2017.
• The ballot also amended Appendix A notes so that SHA-1 may be used with RSA keys in accordance with section 9.4.2.

Adoption and voting result

• The chair received yes votes from the listed voting members, no votes from SECOM Trust Systems, and there were no abstentions.
• Therefore, Ballot 118 passed.

Compliance timing

• The main compliance date is 1 January 2016 for the prohibition on issuing new SHA-1 Subscriber certificates and Subordinate CA certificates.
• A separate earlier date, 16 January 2015, applies to the recommendation not to issue SHA-1 Subscriber Certificates with expiry dates beyond 1 January 2017.
• OCSP signing with SHA1 was allowed until 1 January 2017.
• The section does not apply to Root CA or CA cross certificates.