[cabfpub] Question raised during CABF call today

Rob Stradling rob.stradling at comodo.com
Fri Nov 22 21:05:36 UTC 2013

On 22/11/13 15:32, Paul Tiemann wrote:
> On Nov 22, 2013, at 4:48 AM, Rob Stradling <rob.stradling at comodo.com> wrote:
>> On 21/11/13 19:10, Geoff Keating wrote:
>> <snip>
>>> For OCSP, I don't believe we have any plans to change the algorithm used
>>> to hash the issuer name and public key in the OCSP request.  I'd be
>>> interested in opinions as to whether this is necessary or desirable.
>> Please keep using SHA-1 for the issuerNameHash and issuerKeyHash.  Forever!
> +1
> Using anything else for issuerNameHas and issuerKeyHash would likely
> break most OCSP implementations (on both client and server side) and it wouldn't
> deliver any security gain.

I just looked at a recent day's worth of OCSP logs.

We received 15 OCSP Requests that used the "GOST R 34.11-94" hash 
algorithm for the issuerNameHash and issuerKeyHash.  The rest of the N 
billion OCSP Requests we received all used SHA-1.

Not even a single OCSP Request used SHA-2 for issuerNameHash and 

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list