SHA-1 Depracation and microsoft policy RRS feed

  • Question

  • Hello Microsoft Team,

    I have couple of questions regarding SHA-1 encrypted certificate depreciation.

    1)      Microsoft initially announced that they will block SHA-1 signed certificates starting on January 1, 2017, but due to recent advances in attacks on the SHA-1 algorithm, they are now considering an accelerated timeline to deprecate SHA-1 signed certificates as early as June 2016 (though this is not confirmed yet). Could you please confirm about the exact dates when and how Microsoft stops supporting SHA-1 encrypted certification.

    2)      In one of the forums I read that “As per Microsoft's SHA-1 deprecation policy, Windows users don't need to do anything in response to this new technical requirement”.

    What does this mean? Does Microsoft release patches both on server side authentication not to distribute SHA-1 encrypted certificates and client side not to accept SHA-1 encrypted certificates verification.

    3)      Also in our production environment we have some clients still running on older operating systems like Windows Server 2000 which does not support SHA-2 encryption. At the moment with the time frame available we cannot change the operating system of that clients. In that case what happens if we don’t change the server certificate to SHA-2 and still use the old SHA-1 after 1<sup>st</sup> Jan 2017. Tested by changing the Server and Client (both using SHA-1 encryption) timestamp by advancing past 1<sup>st</sup> Jan 2017, it still works normally. Is this expected?

    Please respond ASAP.

    Thanks in advance


    • Moved by Just KarlModerator Monday, February 8, 2016 3:07 PM Looking for the correct forum.
    Sunday, February 7, 2016 11:10 PM


All replies