Ballot SC053: Sunset for SHA-1 OCSP Signing

Ballot overview

• Ballot SC053, Sunset for SHA-1 OCSP Signing, was a Server Certificate Working Group ballot.
• Its purpose was to establish a sunset date prohibiting delegated OCSP signing with the SHA-1 hash algorithm.
• The ballot modified the Baseline Requirements based on Version 1.8.0 and was incorporated into Baseline Requirements version 1.8.2.

Voting and adoption

• Voting on ballot SC53 completed and the ballot passed.
• Certificate Issuers: 21 yes votes, 0 no votes, 0 abstentions.
• Certificate Consumers: 5 yes votes, 0 no votes, 0 abstentions.
• Bylaw requirements were met for Certificate Issuers, Certificate Consumers, and quorum.
• The ballot cleared the IP Rights Review period with no IP Rights issues raised by the community.

Requirement introduced

• CAs must not sign OCSP responses using the SHA-1 hash algorithm.
• For OCSP responses using the signatureAlgorithm of a BasicOCSPResponse, the producedAt field value of the ResponseData must be earlier than 2022-06-01 00:00:00 UTC.

Relevant dates

• Discussion: 2022-01-10 15:00:00 UTC to 2022-01-17 15:00:00 UTC.
• Vote for approval: 2022-01-17 15:00:00 UTC to 2022-01-24 15:00:00 UTC.
• The Baseline Requirements table lists 2022-06-01 as the date by which CAs must not sign OCSP responses using SHA-1.
• The linked BR 1.8.2 PDF shows the same requirement in the relevant dates table and the OCSP profile change.