[cabfpub] Proposal of a SHA-1 exception procedure

Dean Coclin Dean_Coclin at symantec.com
Thu Jun 16 20:04:27 UTC 2016




On Thu, Jun 16, 2016 at 12:05 PM, Dean Coclin <Dean_Coclin at symantec.com <mailto:Dean_Coclin at symantec.com> > wrote:

If I said, “Dean Coclin’s Really Valuable Credit Card Processing Center” is using a SHA-1 certificate, isn’t that like painting a target on me? So answering questions 1 and 2 in the public domain is adding risk to the cert requestor. A proposed answer could be, “ETA Member #32”, where browsers who are members of the ETA could know for sure who it was.


In order to cryptanalysis, the certificate contents themselves would have to be revealed. Are you saying that with the full contents of the tbsCertificate, it would not be patently obviously that it's Dean Coclin's Really Valuable Credit Card Processing Center that needs it?


 >>I thought about that, but then I said to myself, why would that be listed as a separate question? Then again, maybe my certificate is a DV that has a domain of “merchant-data-services.us”


The cryptanalysis, to my understanding from Ryan and Andrew’s explanation, was to help mitigate the risk of a SHA-1 collision and designed to minimize risk to the PKI ecosystem.  


All of the proposed protocol is designed to minimize risk to the PKI ecosystem.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160616/ed28a0d2/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5723 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160616/ed28a0d2/attachment-0001.p7s>

More information about the Public mailing list