[cabfpub] A better way to do SHA-1 legacy

[Gervase Markham]

On 19/07/16 15:44, Erwann Abalea wrote:
> There’s no need to collide SHA2 with this scheme.
> The attacker can know in advance what the serial number will be; it may
> not be sequential, but is nevertheless predictable. So the attacker

But the attacker can only know the serial number when the entire
remainder of the certificate is fixed. So how can they tweak it to
enable the attack? If they tweak it, the serial number changes.

Gerv