[cabfpub] A better way to do SHA-1 legacy
Ryan Sleevi
sleevi at google.com
Wed Jul 20 01:13:30 UTC 2016
On Mon, Jul 18, 2016 at 10:36 AM, philliph at comodo.com <philliph at comodo.com>
wrote:
> 1) Generate the tbsCertificate with the Serial number field containing the
> bytes [0x01 … 0x01], minimum of 16 bytes. This is just a fixed value
> placeholder. Also add an extension OID for ‘phb-sha1-hack'
>
Objectively speaking, what value does 'phb-sha1-hack' add?
It would only seem to add value if someone wanted to continue trusting new
SHA-1 certificates and programatically evaluate those that contain such an
extension.
That doesn't seem to be a thing we should encourage, given that the very
argument for the need for these is that they're not to be publicly trusted
and on systems that cannot be updated.
Have I missed some other use case?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160719/01d30755/attachment-0003.html>
More information about the Public
mailing list