[cabfpub] Question raised during CABF call today

Geoff Keating geoffk at apple.com
Thu Nov 21 19:10:02 UTC 2013

On 21 Nov 2013, at 9:56 am, Rick Andrews <Rick_Andrews at symantec.com> wrote:

> Tom, Geoff, Gerv,
> Here’s the question I raised on the call. I’d really appreciate it if you could track down the answers for your respective platforms and share the answers with the CABF list.
> Officially, only SHA-1 is supported in OCSP today (RFC 2560), and support for OCSP algorithm agility (RFC6277) might be limited. What is your plan about OCSP requests and responder certificates with SHA-1?
> [Kelvin Yiu responded] We expect OCSP certificates and responses would signed with SHA2. Doesn’t RFC 6277 requires support for at least RSA with SHA 256 in addition to RSA with SHA1? Are you aware of any OCSP client that do not support SHA256?
> I’d like to understand if/when browser clients will stop using SHA-1 in OCSP requests, and when all supported platforms did/will support full use of SHA-256 in OCSP responses (in the signature of the response, and the signature of the cert that signed the response).

For OCSP, I don't believe we have any plans to change the algorithm used to hash the issuer name and public key in the OCSP request.  I'd be interested in opinions as to whether this is necessary or desirable.

As far as I know, OS X supports SHA-256 in both signatures.   If you know of an OCSP resolver that actually does this, I would love to test against it.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131121/0d0a09ba/attachment-0003.html>

More information about the Public mailing list