[cabfpub] Question raised during CABF call today

Paul Tiemann paul.tiemann.usenet at gmail.com
Fri Nov 22 15:32:31 UTC 2013


On Nov 22, 2013, at 4:48 AM, Rob Stradling <rob.stradling at comodo.com> wrote:

> On 21/11/13 19:10, Geoff Keating wrote:
> <snip>
>> For OCSP, I don't believe we have any plans to change the algorithm used
>> to hash the issuer name and public key in the OCSP request.  I'd be
>> interested in opinions as to whether this is necessary or desirable.
> 
> Please keep using SHA-1 for the issuerNameHash and issuerKeyHash.  Forever!

+1 

Using anything else for issuerNameHas and issuerKeyHash would likely
break most OCSP implementations (on both client and server side) and it wouldn't
deliver any security gain. 

Paul Tiemann 
(DigiCert)


More information about the Public mailing list