...
- SHA2 has been rolled out live and we have SHA-2 versions of all the SHA-2 subCAs corresponding to the TERENA SHA-1 subCAs. These sub CA's use intermediate chain CA certs that are completely different than those used in SHA-1. However the root certificates, hence the trust, has not changed. Server / code signing certificate requests for SHA-2 and SHA-1 via Djangora and the Janet portal / other instances seem to be behaving as expected.
- We have prepared a new CPS showing these changes - we are waiting for final sign-off from the PMA and then this will be published.
- Any SHA-1 request with a date passed the deadline of 1st January 2017 will automatically flick to SHA-2 regardless. If a request CSR uses a SHA-2 hash, it also appears to generate a SHA256 certificate, even if the certificate expires before 2017.
- There are some ongoing issues with requesting personal certificates due to issuer name problems. We have distributed advice to the community on fixing these issues and have asked for feedback to be sent to the TCS list and to the Confusa developers.
- We have advised that all eScience certificates requests should be SHA1 for now as SHA2 has been distributed through the IGTF framework, but since some controls are associated also with the issuer subCA name it might not be painless. David Groep is actively working on this. As eScience certificates are 13 months in duration, they should expire before the cut-off date of 1st January 2017 so it is not an issue.
...