SHA1 nach SHA256

siehe http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#Enforcement_in_General

Aus dem Artikel

Enforcement in General

o 2. Server-Authentication Certificates: Windows will no longer trust certificates signed with SHA-1 after 1/1/2017. o

1. Code Signing Certificates: Windows will no longer trust files with the Mark of the Web attribute that are signed with a SHA-1 code signing certificate and are timestamped after 1/1/2016. With the exception of issuing certificates to developers who intend to develop only applications for Windows Vista, Windows Server 2008, CAs may not issue new SHA-1 code signing certificates after January 1, 2016. o

2. Timestamping Certificates: Windows will treat any certificate with a timestamp date after January 1, 2017 as if the file was not timestamped. However, if pre-image attacks on SHA-1 become feasible we will reevaluate how the system trusts these certificates. With the exception of issuing certificates to developers who intend to develop only applications for Windows Vista, Windows Server 2008, CAs may not issue new SHA-1 code signing certificates after January 1, 2016. o

3. S/MIME Certificates: Windows will not enforce specific policies on S/MIME certificates. However, if pre-image attacks on SHA-1 become feasible we will reevaluate how the system trusts these certificates. Microsoft recommends that CAs start issuing new certificates using the SHA-2 algorithm. o

4. OCSP and CRL Signing Certificates: Windows will also not enforce policies on these certificates. Microsoft recommends that CAs move to using SHA-2 wherever practicable. o

5. OCSP Signatures: Windows will no longer trust OCSP responses that use SHA-1 for their signature after January 1, 2016, if the corresponding certificate has the Must Staple extension after January 1, 2016. o

6. OSSP Responses. Windows will no longer trust OCSP responses that use SHA-1 for any SSL certificates after January 1, 2017. SHA-1 SSL certs without the must staple extension can continue to be served with SHA-1 OCSP signatures. Microsoft requires CAs to start issuing new OCSP signatures using only the SHA-2 algorithm after January 1, 2016 for SHA-2 SSL certificates o

7. CRL Signatures: Microsoft does not require that CAs move to using SHA-2 for CRL signatures, and Windows will not enforce policies on these certificates. However, if pre-image attacks on SHA-1 become feasible we will re-evaluate how the system trusts these certificates. o

8. Code signature File Hashes: Microsoft does not require that CAs move to using SHA-2. Windows will also not enforce policies on these certificates. If pre-image attacks on SHA1 become feasible we will reevaluate how the system trusts these certificates. o

9. Timestamp Signature Hashes: Windows will no longer trust files with the Mark of the Web attribute that are timestamped with a SHA-1 signature hash after 1/1/2017 on Windows 10 systems. Microsoft requires CAs to start issuing new timestamp signature hashes using only the SHA-2 algorithm after 1/1/2016. For developers targeting Windows Vista and Server 2008, CAs will be allowed to continue issuing SHA-1 timestamps.