[cabfpub] A better way to do SHA-1 legacy
Rob Stradling
rob.stradling at comodo.com
Tue Jul 19 14:17:52 UTC 2016
On 19/07/16 14:08, Gervase Markham wrote:
> On 18/07/16 18:36, philliph at comodo.com wrote:
>> Looking at the recent SHA-1 muck up, I am not confident that the
>> current approach works. It fails for the same reason that random
>> Elliptic Curve parameters fails, there is no mechanism that allows a
>> process for generating random numbers to be audited.
>>
>> So lets go to the solution we chose for EC - rigid construction. This
>> can be made to be auditable.
>
> This seems like a good idea; objections?
We only just voted to require serial numbers to contain "at least 64
bits of output from a CSPRNG" [1] ! ;-)
Ballot 164 replaced '“entropy” with “CSPRNG” to make the requirement
clearer and easier to audit'. However, that's referring to the kind of
auditing that can only be done by WebTrust/ETSI auditors, whereas
rigidly constructed serial numbers would be auditable by anyone.
If rigidly constructed serial numbers are deemed acceptable when signing
certs with a legacy signature algorithm (sha1WithRSAEncryption), would
it also make sense to permit (or even require) rigidly constructed
serial numbers to be used when signing with current/future signature
algorithms (e.g. sha256WithRSAEncryption)?
[1] https://cabforum.org/2016/07/08/ballot-164/
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list