[cabfpub] Mozilla SHA-1 further restrictions
Wayne Thayer
wthayer at godaddy.com
Tue Nov 22 15:16:59 MST 2016
>> Of course the best answer should be to completely ban SHA1. But since
>> we're struggling with legacy stuff, my proposal would be to ban SHA-1
>> OCSP signing from a CA key, and instead use a designated OCSP
>> responder certificate for such responses.
> Do other CAs have comments on the level of disruption that such a
> mandate might cause? AIUI, if this were required, then a SHA-1 collision
> using an OCSP response could only be used to fake another OCSP response.
> Which sounds like good risk reduction.
This seems entirely reasonable and prudent to me. And Microsoft requires it anyhow:
A CA must either technically constrain an OCSP responder such that the only EKU allowed is OCSP Signing or it must not use SHA-1 to sign OCSP responses.
Wayne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20161122/c6a4d43d/attachment-0001.html>
More information about the Public
mailing list