[cabfpub] A better way to do SHA-1 legacy

Ryan Sleevi sleevi at google.com
Tue Jul 19 18:13:30 MST 2016


On Mon, Jul 18, 2016 at 10:36 AM, philliph at comodo.com <philliph at comodo.com>
wrote:

> 1) Generate the tbsCertificate with the Serial number field containing the
> bytes [0x01 … 0x01], minimum of 16 bytes. This is just a fixed value
> placeholder. Also add an extension OID for ‘phb-sha1-hack'
>

Objectively speaking, what value does 'phb-sha1-hack' add?

It would only seem to add value if someone wanted to continue trusting new
SHA-1 certificates and programatically evaluate those that contain such an
extension.

That doesn't seem to be a thing we should encourage, given that the very
argument for the need for these is that they're not to be publicly trusted
and on systems that cannot be updated.

Have I missed some other use case?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160719/01d30755/attachment.html 


More information about the Public mailing list