<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">That was a collision attack, not a
pre-image one (MD5 is still pre-image resistant -- or not a useful
enough target anymore).<br>
<br>
notBefore/notAfter isn't a good place to add entropy to: 16bits
max for time components of one of notBefore/notAfter, if a CA is
allowed to play with the date part, it is then implicitely allowed
to play with information that will be compared to effective and
hard sunset dates; something already known to be problematic.<br>
<br>
The necessary entropy was added to mitigate collision attacks
while allowing legacy hash functions as a transition. That raised
the attacker's bar from "collision attack" to "random prefix
collision attack". It's strictly not necessary *while* the hash
function is collision resistant. Nevertheless, I think it's best
to be conservative and keep this requirement, and let browsers set
sunset dates for declining crypto functions/parameters (<2048
bits RSA, MD5/SHA1, ...) based on theoretical results.<br>
<br>
(If we allow for Ed25519 or similar schemes, we'll have this
"collision protection" for free, AIUI.)<br>
<br>
<pre class="moz-signature" cols="72">--
Erwann ABALEA
</pre>
Le 11/08/2014 21:46, Ben Wilson a écrit :<br>
</div>
<blockquote
cite="mid:052fa5cf0854404094dc209315ae995b@EX2.corp.digicert.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks,
Ryan. I wasn’t trying to raise resurrect MD5 (or SHA1), I’m
just saying that we ought to revisit what we say about
serial number entropy and the reasons for it. I had
forgotten that CAs were told not to place entropy into the
Date fields—someone on this other call (Federal PKI)
suggested that it was a better place to embed entropy. As
you note, there are more sophisticated methods to address
this—which leads to my underlying intent – is the CA/B Forum
ready to tackle a more sophisticated or complex formulation
of the entropy requirement that takes into account current
information and hashing algorithm strengths? Or should we
hold off on discussing this until after January 2016 when
SHA1 certificates are no longer issued ? <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
Ryan Sleevi [<a class="moz-txt-link-freetext" href="mailto:sleevi@google.com">mailto:sleevi@google.com</a>]
<br>
<b>Sent:</b> Monday, August 11, 2014 1:24 PM<br>
<b>To:</b> Ben Wilson<br>
<b>Cc:</b> CABFPub<br>
<b>Subject:</b> Re: [cabfpub] Serial Number Entropy<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Mon, Aug 11, 2014 at 11:53 AM, Ben
Wilson <<a moz-do-not-send="true"
href="mailto:ben.wilson@digicert.com" target="_blank">ben.wilson@digicert.com</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">The
purpose of this email is just to place a reminder
for us or get the conversation going if anyone wants
to discuss this suggestion from a call I was on
today –
<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Could
the CA/B Forum (and Browser root programs)
revise/update its response to the 2008 Sotirov MD5
pre-image attack? <o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I'm not sure what you expect from
the Browser Root Programs, or what call you were on,
but<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">- OS X / Safari (and Chrome on OS
X) - Has disabled MD5 support since OS X 10.9 - <a
moz-do-not-send="true"
href="http://support.apple.com/kb/HT6011">http://support.apple.com/kb/HT6011</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">- Chrome (on all platforms) -
Treats MD5 the same as untrusted root / any other cert
with errors since Chrome 18 (aka December 2011) - <a
moz-do-not-send="true"
href="https://code.google.com/p/chromium/issues/detail?id=101123">https://code.google.com/p/chromium/issues/detail?id=101123</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">- Firefox (on all platforms, except
where a distro/sys admin overrides) - Disallows MD5 in
signatures since FF16 - <a moz-do-not-send="true"
href="https://bugzilla.mozilla.org/show_bug.cgi?id=650355">https://bugzilla.mozilla.org/show_bug.cgi?id=650355</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">- IE - As of February 2014, Windows
Vista+ won't allow MD5 for signatures for CAs in their
root program - <a moz-do-not-send="true"
href="https://technet.microsoft.com/library/security/2862973">https://technet.microsoft.com/library/security/2862973</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">The
commenter’s point was that today there are other
ways to reduce the risk of this pre-image attack
in addition to 20-bit entropy in serial numbers
(which we specify in the Baseline Requirements for
SSL and the Code Signing draft). Those include-
variable issuance/expiration times (e.g. minutes,
seconds, etc.) and better hash algorithms (not
SHA1).<o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Sure. But MD5 is dead. Why would
the commenter wish to revive it?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">As a reminder for CAs, SHA-1 is
also not long for this world. While there may be
attempts to prolong it's life, it's better to start
transitioning away. For example, it's highly likely
that a future version of Chrome will treat
certificates with validity periods (measured by
NotAfter) beyond the <b>hard</b> sunset date
(1/1/2017) that Microsoft has proposed as certificates
with errors, warning the user and treating such
resources as mixed content (requiring user
interaction). <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Let's also keep in mind that these
mitigations are not sanctioned by the root programs.
For example, 20-bits of entropy is insufficient for
the Microsoft Root Program ( <a moz-do-not-send="true"
href="http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspx">http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspx</a>
) , which requires 64-bits (eight bytes)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">In the same section, Microsoft also
makes it clear that CAs are no longer allowed to place
entropy into the Date fields. See <a
moz-do-not-send="true"
href="http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspx#_edn12">http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspx#_edn12</a>
for a further discussion.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">So really, the ONLY acceptable
mitigation is move to better hash algorithms, and if
you're doing that, it SHOULD be SHA-256, not SHA-1.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">As a final reminder, the Baseline
Requirements state SHA-1 "MAY be used with RSA keys
until SHA-256 is widely supported by
<b>browsers</b> used by a substantial portion of
relying-parties worldwide". Given that Windows XP, a
historical complaint from CAs, supports SHA-256 since
SP3, I think the burden is on CAs to demonstrate that
there exists a population sizeable enough that SHA-256
support cannot be called "substantial".<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>