[Go to /]
Structures
Membership
Contact us

IGTF
APGridPMA
TAGPMA
TERENA TACAR
TERENA REFEDS
SCI

Documents
Charter
Guidelines
One Statement Policies

CAOPS-WG
Wiki

Technical Info
CA Distribution download
Subject Locator
Find your local CA
About your certificate

Newsletter issues
Subscribe
Service notices
RSS feed
Nagios monitoring

Tools download and fetch-crl
Technical documentation
IGTF OID Registry
SHA-2 timeline

Meetings
Poznan Sept 2014

Overview
Agendas
Intranet and Reviews (closed)


switch to print layout

IGTF time line statement on SHA-2 Secure Digest Mechanisms

Having consulted the major relying parties, the authority members, and the HASHRAT expert group, and based on the discussions at the APGridPMA, TAGPMA, and EUGridPMA, the following SHA-2 time line has now been endorsed by the IGTF.

Now
  • CA certificates in the IGTF distribution and CRLs at official distribution points should use SHA-1
  • CAs should issue SHA-1 end entity certificates by default
  • CAs may issue SHA-2 (SHA-256 or SHA-512) end entity certificates on request. CAs may publish SHA-2 (SHA-256 or SHA-512) CRLs at alternate distribution point URLs
1 December 2013
1 October 2013
  • CAs should begin to phase out issuance of SHA-1 end entity certificates
  • CAs should issue SHA-2 (SHA-256 or SHA-512) end entity certificates by default
1 April 2014
  • New CA certificates should use SHA-2 (SHA-256 or SHA-512)
  • Existing intermediate CA certificates are encouraged to re-issue using SHA-2 (SHA-256 or SHA-512)
  • Existing root CA certificates may continue to use SHA-1
1 October 2014
  • CAs may begin to publish SHA-2 (SHA-256 or SHA-512) CRLs at their official distribution points.
1 February 2015
1 December 2014
  • All issued SHA-1 end entity certificates should be expired or revoked.
  • Existing intermediate CA certificates should be re-issued using SHA-2 (SHA-256 or SHA-512)

In case of new SHA-1 vulnerabilities, the above schedule may be revised.

SHA-224 and SHA-384 are not to be used as per the HASHRAT document.


Comments to David Groep.