[cabfpub] Proposal of a SHA-1 exception procedure

Ryan Sleevi sleevi at google.com
Thu Jun 16 19:18:06 UTC 2016


On Thu, Jun 16, 2016 at 12:05 PM, Dean Coclin <Dean_Coclin at symantec.com>
wrote:

> If I said, “Dean Coclin’s Really Valuable Credit Card Processing Center”
> is using a SHA-1 certificate, isn’t that like painting a target on me? So
> answering questions 1 and 2 in the public domain is adding risk to the cert
> requestor. A proposed answer could be, “ETA Member #32”, where browsers who
> are members of the ETA could know for sure who it was.
>

In order to cryptanalysis, the certificate contents themselves would have
to be revealed. Are you saying that with the full contents of the
tbsCertificate, it would not be patently obviously that it's Dean Coclin's
Really Valuable Credit Card Processing Center that needs it?


>
>
> The cryptanalysis, to my understanding from Ryan and Andrew’s explanation,
> was to help mitigate the risk of a SHA-1 collision and designed to minimize
> risk to the PKI ecosystem.
>

All of the proposed protocol is designed to minimize risk to the PKI
ecosystem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160616/f197888e/attachment-0003.html>


More information about the Public mailing list