[cabfpub] Microsoft Proposed Updates to the SHA-1 Deprecation Timeline

Ryan Sleevi sleevi at google.com
Wed Oct 28 21:16:14 UTC 2015

On Wed, Oct 28, 2015 at 2:03 PM, Doug Beattie <doug.beattie at globalsign.com>

> With the certificate serial number entropy

This is not a MUST requirement in the Baseline Requirements, unfortunately.

Section 7.1
"CAs SHOULD generate non-sequential Certificate serial numbers that exhibit
at least 20 bits of entropy"

As such, it's not a terribly reliable scheme.

> and the fact we’re not issuing any SSL certificates after 12/31/2015 we
> should be sufficiently protected against the recent improvements in
> breaking some aspects of SHA-1.  It’s another story if SHA-1 is suddenly
> broken and the date needs to be changed, but that hasn’t happened <yet>.

The advancements merely show that the expected cost of a practical
exploitation of SHA-1 is lower than expected, and builds on past research
to show that SHA-1 is broken, as has long been known.

Put differently, we're entering the realm of "cybercrime syndicates can
mount SHA-1 attacks", but we've been in the realm of "nation-states with
advanced cryptography research teams and significant compute power" for
some time.

Recall that the Flame attack exploited then-unknown attacks against MD5,
even though they fit within the framework of the research at the time. That
is, nationstates were already significantly more advanced than the state of
research at the time. We should reasonably and logically conclude the same
applies to SHA-1.

That is to say, it's reasonable to expect there may already be nation-state
players who have exploited SHA-1, such that as long as it remains accepted,
user populations remain at risk.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151028/e94c0d92/attachment-0003.html>

More information about the Public mailing list