News

Ballot SC53, relating to the deprecation of SHA-1 OCSP signatures, has been adopted

The CA/B Forum, the regulator in the SSL certificate industry, has passed Ballot SC53 by a majority vote. SHA-1 OCSP signatures are no longer supported.

OCSP (Online Certificate Status Protocol) is an Internet protocol used to obtain the revocation status of an X.509 digital certificate.

The SHA-1 hashing algorithm used for signatures is not strong enough.

It has long been forbidden to use private keys to directly sign OCSP responses using SHA-1.

However, private keys corresponding to delegated OCSP responders could still be used to sign OCSP responses using the SHA-1 algorithm.

What does the new Ballot SC53 do?

The new Ballot SC53 makes the following changes to the Baseline Requirements document:

  • Section 7.1.3.2.1 was introduced, stating that a CA can no longer sign OCSP responses using the SHA-1 algorithm.
  • The producedAt field for ResponseData in an OCSP response MUST contain a date before 2022-06-01 00:00:00 UTC.

Subscribe to our updates to keep up-to-date with the latest in the field of SSL. 


Are you ready to try?


Yes! Let's do it for free!

Have any questions?
Call us now +31 20 7640722