[cabfpub] For discussion: Restricting the use of file-based demonstrations of control

Rob Stradling rob.stradling at comodo.com
Tue Jun 3 12:14:35 UTC 2014

On 02/06/14 22:28, Adam Langley wrote:
> On Mon, Jun 2, 2014 at 2:04 PM, Rob Stradling <rob.stradling at comodo.com> wrote:
>> Oh, BTW, our current scheme requires the attacker to generate a CSR that
>> collides with both the SHA-1 _and_ MD5 hashes of the legitimate CSR.
> The concatenation of SHA-1 and MD5 is, sadly, not nearly as good as
> one might hope:
> http://www.iacr.org/cryptodb/archive/2004/CRYPTO/1472/1472.pdf.

Oh, that is indeed sad.  Thanks for the link Adam!

>> I thought the N-bits-of-randomness-in-serial-numbers requirement was
>> added specifically because SHA-1 is on its last legs.  Can we not say
>> that SHA-256 (and, hopefully, SHA-1-plus-MD5) has a large enough
>> security margin that the randomness requirement isn't actually necessary?
> Entropy in the serial numbers was, indeed, added to convert the
> attackers' problem from a simple collision attack to something close
> to target collision resistance. Technically, with SHA-256 that's no
> longer needed. However it would be sad to regress.

On the other hand, our customers find it really useful to be able to 
pre-generate these "demonstrations of control" themselves (i.e. without 
having to ask the CA for a unique, per-request random number).  So from 
a Useability point of view, it would be sad to lose this property.

> Also, I think Ryan's previous concern would still stand:
> "Another attack would be using the same CSR,

How does the attacker obtain the legitimate customer's CSR?

> but provided to another
> CA, CA B. The attacker does not hold the private key (yet), but
> obtains an additional certificate. Then, using a technique like
> Heartbleed, obtains the private key at some later point.
> The legitimate customer revokes their certificate with their known CA,
> CA A. Assuming revocation worked reliably (eg: must-staple), that
> certificate and key pair would now be invalid. However, the attacker
> holds a still-valid certificate, from CA B, and now holds the private
> key as well. Without compromise of any CA, and without awareness of
> the subscriber (sans CT), they can now mount a MITM."
> Cheers

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list