[cabfpub] Ballot - expiration of SHA1 certificates

Brian Smith brian at briansmith.org
Fri Sep 5 23:27:07 UTC 2014

On Fri, Sep 5, 2014 at 4:16 PM, Rick Andrews <Rick_Andrews at symantec.com> wrote:
> Tom, I think it would help to clarify that the SHA-1 deprecation policy
> doesn’t apply to OCSP responses. Earlier discussion in this Forum seemed to
> exhibit consensus around the continued acceptability of the use of SHA-1
> where hash algorithms are called for (in the issuer NameHash and issuer
> KeyHash, for example). Even though the BRs say (Section 13.2.5) that OCSP
> responses must conform to RFC 2560 and/or RFC 5019, and those explicitly
> call for SHA-1, I’d like to see an affirmation (probably in Section 13.2.5)
> that SHA-1 is still allowed in this one case.


A hash algorithm is used in three places in OCSP:

1. The ResponderID construct (through KeyHash), to identify a
certificate by the hash of its public key.
2. The CertID construct.
3. The signature of the OCSP response.

I assume that you want to continue to allow SHA-1 in CertID and
ResponderID. But, I don't see any reason to continue to allow SHA-1 in
the signature of the OCSP response, so OCSP response signatures should
be switched to SHA-256 too, even if SHA-1 remains acceptable in CertID
and ResponderID. Is that what you are thinking too?


More information about the Public mailing list