[cabfpub] A better way to do SHA-1 legacy
philliph at comodo.com
philliph at comodo.com
Wed Jul 20 00:06:02 UTC 2016
The point is that it is not possible t change just one bit in a certificate at a time. Any change to the cert whatsoever will cause unpredictable changes to at least 128 bit in the cert.
I know that we agreed to do something different. The reason I am proposing to revisit is that the original scheme isn’t auditable and people seem to be screwing it up.
> On Jul 19, 2016, at 6:59 PM, Erwann Abalea <Erwann.Abalea at docusign.com> wrote:
>
> The attacker can tweak the public key and obtain a resulting tbsCert until a set of attacker-defined conditions is met. He doesn’t need to interact with anybody for that, and we don’t know what kind of « attacker-defined conditions » is acceptable.
> In my view, it’s a regression from the current scheme.
>
> Cordialement,
> Erwann Abalea
>
>> Le 19 juil. 2016 à 16:53, Gervase Markham <gerv at mozilla.org> a écrit :
>>
>> On 19/07/16 15:44, Erwann Abalea wrote:
>>> There’s no need to collide SHA2 with this scheme.
>>> The attacker can know in advance what the serial number will be; it may
>>> not be sequential, but is nevertheless predictable. So the attacker
>>
>> But the attacker can only know the serial number when the entire
>> remainder of the certificate is fixed. So how can they tweak it to
>> enable the attack? If they tweak it, the serial number changes.
>>
>> Gerv
>>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
More information about the Public
mailing list