[cabfpub] Fwd: Re: SHA-256 support

Rob Stradling rob.stradling at comodo.com
Tue Nov 26 10:54:04 UTC 2013

On 26/11/13 10:32, Gervase Markham wrote:
> Hi everyone,
> Here is a more nuanced answer from wtc about when and how much NSS
> supports SHA-2.
> NSS 3.11.1/3.11.4 or later were included in Firefox 2.0 and later.

Thanks Gerv.  I think Bob's and Wan-Teh's answers only cover signatures 
on certificates.  CAs will also need clients to support SHA-2-based 
signatures on OCSP Responses.

2 days ago Brian Smith wrote:
"Note that currently NSS does not support SHA2 for OCSP completely yet."

Which NSS and Firefox versions will support SHA-256/384/512-based 
signatures on OCSP Responses "completely"?

> Gerv
> -------- Original Message --------
> Subject: Re: SHA-256 support
> Date: Tue, 19 Nov 2013 10:40:25 -0800
> From: Wan-Teh Chang <wtc at google.com>
> Reply-To: mozilla's crypto code discussion list
> <dev-tech-crypto at lists.mozilla.org>
> To: mozilla's crypto code discussion list
> <dev-tech-crypto at lists.mozilla.org>
> Newsgroups: mozilla.dev.tech.crypto
> References: <v8ydnXNXANDjthfPnZ2dnUVZ_j6dnZ2d at mozilla.org>
> <528ACAD1.3090708 at REDHAT.COM>
> Bob's answer is accurate.
> Note that CAs are more interested in SHA-2 based signature support
> rather than plain SHA-2 support. So another way to track down the NSS
> version is to look at the CVS history of the secvfy.c file:
> http://bonsai.mozilla.org/cvslog.cgi?file=mozilla/security/nss/lib/cryptohi/secvfy.c&rev=HEAD&mark=1.30
> The relevant revisions are:
> 1.7 nelsonb%netscape.com2002-12-11 22:05 Support SHA256, SHA384, and
> SHA512 hashes in NSS.
> 1.14 wtchang%redhat.com2005-08-12 16:50 Bugzilla Bug 296410: enlarge
> the buffer size for message digest so that we can generate and verify
> signatures that use SHA-512.
> 1.17 rrelyea%redhat.com2006-02-07 22:14 Bug 320583 Support for
> SHA256/384/512 with ECC signing
> So it is safe to say that by mid 2006 (NSS 3.11.1, released on
> 2006-05-05) the support of SHA-2 based signatures in NSS was already
> stable and complete, covering both RSA and ECDSA signatures. Another
> evidence of mature support is the FIPS 140-2 validation of NSS 3.11.4
> (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2007.htm#814).
> A very conservative response would be NSS 3.11.4
> (http://www-archive.mozilla.org/projects/security/pki/nss/nss-3.11.4/nss-3.11.4-release-notes.html)
> and later.
> Wan-Teh
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.

More information about the Public mailing list