Entrust Datacard Stops Issuing SHA-1 Certificates
Entrust Datacard made the decision to stop issuing any type of public trust certificates using the SHA-1 hashing algorithm to mitigate the potential for SHA-1 collision attacks and help protect our certificate subscribes’ data. Recent developments including the SHA-1 deprecation and Google’s recently published SHAttered vulnerability show that there’s an increased risk with SHA-1 usage.
Per CA Browser Forum guidelines, certification authorities (CAs) stopped signing public trust using SHA-1 and as of January 2017, the major browsers and operation systems no longer treat SHA-1 signed certificates as trusted. The SHA-1 deprecation plan was focused on SSL/TLS certificates. Microsoft extended the plan to code signing certificates with the exception of certificates issued to support Windows Vista and Server 2008. Mozilla also extended the SHA-1 deprecation to any certificate issued under a root trusted by Mozilla.
There are still some clients and servers that do not support SHA-2. In those cases, private trust certificates may be a solution. A private trust certificate is self-signed or issued under a CA or root certificate, which is not natively distributed by the browsers and operating systems. This means only clients that have decided to trust the certificate or PKI hierarchy would be vulnerable to an attack.
Entrust Datacard does not plan to issue any private trust SHA-1 certificates for data or files which will be persistently signed. That means that we do not plan to issue SHA-1 certificates that will be used to sign code, documents or email in order to avoid a future attack on files or data when a SHA-1 collision will be easier to accomplish.
We do support the issuance of SHA-1 certificates for secure sessions. In other words, we will still sign private trust SSL/TLS certificates with a maximum one year validity period. Also note SHA-1 certificates will only be provided for a short period in an attempt to support subscribers as they migrate to SHA-2.
The increased vulnerability of SHA-1 signed certificates to collision attacks puts it at a higher risk for breach making it an unfavorable solution for Entrust Datacard to offer our customers.