locked
SHA-1 Depracation and microsoft policy RRS feed

  • Question

  • Hello Microsoft Team,

    I have couple of questions regarding SHA-1 encrypted certificate depreciation.

    1)      Microsoft initially announced that they will block SHA-1 signed certificates starting on January 1, 2017, but due to recent advances in attacks on the SHA-1 algorithm, they are now considering an accelerated timeline to deprecate SHA-1 signed certificates as early as June 2016 (though this is not confirmed yet). Could you please confirm about the exact dates when and how Microsoft stops supporting SHA-1 encrypted certification.

    2)      In one of the forums I read that “As per Microsoft's SHA-1 deprecation policy, Windows users don't need to do anything in response to this new technical requirement”.

    What does this mean? Does Microsoft release patches both on server side authentication not to distribute SHA-1 encrypted certificates and client side not to accept SHA-1 encrypted certificates verification.

    3)      Also in our production environment we have some clients still running on older operating systems like Windows Server 2000 which does not support SHA-2 encryption. At the moment with the time frame available we cannot change the operating system of that clients. In that case what happens if we don’t change the server certificate to SHA-2 and still use the old SHA-1 after 1<sup>st</sup> Jan 2017. Tested by changing the Server and Client (both using SHA-1 encryption) timestamp by advancing past 1<sup>st</sup> Jan 2017, it still works normally. Is this expected?

    Please respond ASAP.

    Thanks in advance

    Ram

    • Moved by Just Karl Monday, February 8, 2016 3:07 PM Looking for the correct forum.
    Sunday, February 7, 2016 11:10 PM

Answers

All replies

  • Hello,

    The MSDN, TechNet and Expression Library Feedback forum is to "Help improve the Library Experience in MSDN, TechNet and Expression by providing feedback on features, bugs, look and feel or by just providing suggestions". This is not a support forum.

    As it's off-topic here, I am moving the question to the Where is the forum for... forum.

    Karl


    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
    My Blog: Unlock PowerShell
    My Book: Windows PowerShell 2.0 Bible
    My E-mail: -join('6D73646E5F6B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})

    Monday, February 8, 2016 2:58 PM
  • Hello,

    You might ask in the Windows Server Security forum.

    I'd not expect much for your Windows 200 boxes since they have not had support for over 5 years, but it's worth asking.

    https://support.microsoft.com/en-us/lifecycle?p1=7274

    Karl


    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
    My Blog: Unlock PowerShell
    My Book: Windows PowerShell 2.0 Bible
    My E-mail: -join('6D73646E5F6B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})

    • Proposed as answer by Mike Laughlin Monday, February 8, 2016 3:18 PM
    • Marked as answer by Dave PatrickMVP Sunday, February 14, 2016 10:15 PM
    Monday, February 8, 2016 3:07 PM