You probably have heard about Google’s recent decision to deprecate SHA-1…
Google communicated on September 5th about its decision to sunset the use of SHA-1 within SSL certificates (more information) within its browser Chrome.This decision was communicated with a very short notice to SSL certificate issuing Certificate Authorities (CAs) and did lead to long discussions between Google and many CA representatives. This decision will apply in November 2014 with Chrome 39.
Faced to such decisions, OpenTrust, a public CA (cleared to issue SSL certificates trusted by web browsers for any company) member of the CA/Browser Forum (an industry group of leading web browsers vendors and CAs, working together to establish security requirements for SSL certificate issuance) always carefully assess pros and cons before implementing amendments to its offers and practices.
In practice, there are two ways to handle such a browser vendor decision: either the CA focus on security and looks for latest features to set them up to comply the soonest or the CA wait for all technical environments (mainly web servers and browsers) are ready to support these features to maximize interoperability.
Given recommendation taken a few years by the CA/Browser forum and the recent browser vendors decisions, we decided at Opentrust to adapt our offers et practices: we will soon issue all our SSL certificates using SHA-2 hashing algorithms. We are currently preparing this change and will let you know when everything is ready for this.
We take this opportunity to remind our customers that even though cryptography is one topic OpenTrust and all members of the CA/Browser Forum take care a lot about, it is not the only one aspect required to establish trust in securing web sites. At OpenTrust we also keep implementing non-technical procedures, used for vetting before issuance of any SSL certificate, that are at least as important as improving technical features. This is one of our internal Credo regarding SSL and we aim at keeping it alive for a long time.