[cabfpub] Question raised during CABF call today

Rob Stradling rob.stradling at comodo.com
Fri Nov 22 11:46:45 UTC 2013

On 21/11/13 17:56, Rick Andrews wrote:
> Tom, Geoff, Gerv,
> Here’s the question I raised on the call. I’d really appreciate it if
> you could track down the answers for your respective platforms and share
> the answers with the CABF list.
> Officially, only SHA-1 is supported in OCSP today (RFC 2560),

Actually, no.  Officially (from the IETF's perspective), OCSP is today 
defined by RFC6960 (which obsoletes both RFC2560 and RFC6277).

RFC6960 requires support for sha256WithRSAEncryption...
   "Clients that request OCSP services _SHALL_ be capable of processing
    responses signed using RSA with SHA-256"
...and pushes sha1WithRSAEncryption a little way along the path to 
   "Clients _SHOULD_ be capable of processing responses signed using RSA
    with SHA-1"  (that "SHOULD" was previously "SHALL", even in RFC6277)

> and
> support for OCSP algorithm agility (RFC6277) might be limited. What is
> your plan about OCSP requests and responder certificates with SHA-1?
> /*[Kelvin Yiu responded] We expect OCSP certificates and responses would
> signed with SHA2. Doesn’t RFC 6277 requires support for at least RSA
> with SHA 256 in addition to RSA with SHA1? Are you aware of any OCSP
> client that do not support SHA256?*/

I'm not aware of any OCSP clients that don't support 
sha256WithRSAEncryption, sha384WithRSAEncryption or 
sha512WithRSAEncryption signatures on OCSP Responses.

And for clients that support ECC certs, I'm not aware of any lack of 
support for ecdsa-with-SHA256, ecdsa-with-SHA384 or ecdsa-with-SHA512 
signatures on OCSP Responses.

> I’d like to understand if/when browser clients will stop using SHA-1 in
> OCSP requests, and when all supported platforms did/will support full
> use of SHA-256 in OCSP responses (in the signature of the response, and
> the signature of the cert that signed the response).
> I’d also like to ask other CAs if they have full support for RFC6277. My
> hunch is that some don’t support it, and can’t easily support it (at
> least those CAs that outsource OCSP software and had difficulty
> complying with the “don’t return a valid status for a cert you never
> issued” ballot).
> -Rick

Perhaps you could test that hunch by proposing an aggressive timetable 
for disallowing the use of SHA-1 for signing OCSP Responses...and then 
see who complains.  ;-)

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list