[cabfpub] Proposal of a SHA-1 exception procedure

Dean Coclin Dean_Coclin at symantec.com
Thu Jun 16 21:44:45 UTC 2016

My suggestion was that the browsers be notified of those details but that they be redacted from the public document. 


As Jody stated in Bilbao, there is no point in exposing this information if it introduces security risks. He also said that we should be collectively trying to find a solution which involves compromise. To that end, I think Andrew has done a great job with his initial proposal, garnered from the discussion in Bilbao. But some fine tuning should be expected and hopefully we can find an amenable solution to all parties.

Today I participated on a call with FS-ISAC members in which they expressed a security concern about the current procedure. Hence my comments.


I’m wondering if a separate working group type call could be held to mash out a final, recommended document and present to the forum members. I’m not suggesting a formal working group, rather a subset of the normal meeting call in group that can work together to propose a final document.





From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Thursday, June 16, 2016 4:42 PM
To: Dean Coclin <Dean_Coclin at symantec.com>
Cc: Eric Mill <eric at konklone.com>; CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] Proposal of a SHA-1 exception procedure




On Thu, Jun 16, 2016 at 1:04 PM, Dean Coclin <Dean_Coclin at symantec.com <mailto:Dean_Coclin at symantec.com> > wrote:

In order to cryptanalysis, the certificate contents themselves would have to be revealed. Are you saying that with the full contents of the tbsCertificate, it would not be patently obviously that it's Dean Coclin's Really Valuable Credit Card Processing Center that needs it?


 >>I thought about that, but then I said to myself, why would that be listed as a separate question? Then again, maybe my certificate is a DV that has a domain of “merchant-data-services.us <http://merchant-data-services.us> ”


Do you think it would be relevant to the PKI ecosystem if the domain was haha-we-found-a-collision-you-cryptonerds-couldnt-find.nsa.gov <http://haha-we-found-a-collision-you-cryptonerds-couldnt-find.nsa.gov> ? If the requester was the NSA?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160616/b924722c/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5723 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160616/b924722c/attachment-0001.p7s>

More information about the Public mailing list