[cabfpub] FW: Ballot 152 - Issuance of SHA-1 certificates through 2016)

Dean Coclin Dean_Coclin at symantec.com
Mon Oct 19 22:25:25 UTC 2015


-----Original Message-----
From: Jacob Hoffman-Andrews [mailto:jsha at eff.org] 
Sent: Monday, October 19, 2015 6:24 PM
To: Dean Coclin; questions at cabforum.org; Ryan Sleevi
Subject: Re: [cabfpub] Ballot 152 - Issuance of SHA-1 certificates through

(posted to questions; please repost)

On 10/19/2015 12:48 PM, Dean Coclin wrote:
> 1. The prohibition of issuing SHA1 certs after Dec 31, 2015 that still 
> expire by the existing deadline (Dec 31, 2016).
If you look at the attack that used the MD5 collision
(https://www.win.tue.nl/hashclash/rogue-ca/), it depended on finding a CA
willing to issue a certificate at the time of the attack. They were able to
use the attack to mint a rogue certificate with the contents of their
choice, including expiration date.

Assuming all CAs stop issuing new SHA-1 certificates as planned on Dec 31,
2015, then that is that last day that a SHA-1 collision can be exploited to
generate a rogue certificate. If some CAs were to continue issuing in 2016,
an attacker could still generate a SHA-1 collision in 2016, regardless of
the expiry time that those CAs included in the non-rogue certificate they

> 2. The prohibition of issuing non-browser based SHA-1 certs beyond Dec
31, 2015.

As I described above, a collision allows the attackers to mint a certificate
with the contents of their choice. Even if there were a critical extension
saying "don't trust this EE cert in a browser,"
attackers could mint a certificate without that poison extension.

Another way to put it that might help make it more clear to the Fortune
50 companies: A hash collision is like the ability to steam a stamp off of
one envelope and stick it on a second envelope. It doesn't matter if the
first envelope says "good until Dec 31 2016," because the second envelope
can say "good until 2030."

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5747 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151019/c74719ed/attachment-0001.p7s>

More information about the Public mailing list