Here is the context. Suppose you have a corporate PKI with :
- AC_Root (offline in safe store - SHA1 signature)
- SubRootA ans SubrootB (offline in safe store - SHA1 signature)
- SubSubRootC, SubSubRootD, SubSubRootE... (online in HSM - SHA1 signature)
- End entities certificates (servers, users smart card, auto enrollment, Active directory)
What are the impacts due to SHA1 deprecation ? I know root certificate is not concerned, because self-signature is never verified (only presence in truststore), but what about the Subroot certificates ?
Editors like Google or Microsoft announced that browsers will print warnings and even fail when SHA1 will be used, and quite soon (2015/2016).
Is this a hot issue for mostly security reasons or for the user experience (warnings in browser, OS refusing SHA1 certificates) ?
Is it needed to organise a new key ceremony for creation of a new "SHA256" chain ? Even for offline chain (root and subroots) ? Re-issuing new end entities certificats with SHA256 ? Introducing a sliding period for key renewal ?
Thanks in advance for your advices, I am quite septic about this.
Aucun commentaire:
Enregistrer un commentaire