[cabfpub] Mozilla SHA-1 further restrictions

Gervase Markham gerv at mozilla.org
Thu Nov 17 11:48:08 UTC 2016

Mozilla intends to place further restrictions (beyond those in the BRs)
on the use of SHA-1 in hierarchies chaining up to our embedded roots.
The goal here is to reduce the value of a SHA-1 collision to an
attacker. (Bear in mind that Mozilla's root program covers email as well
as server certs.) The current text has been discussed in m.d.s.policy,
and is this:

CAs may only sign SHA-1 hashes over end-entity certs which chain up to
roots in Mozilla's program if all the following are true:

* The certificate is not within the scope of the Baseline Requirements;

* The issuing CA and the certificate itself both have a critical EKU
extension with a single key purpose, which is not id-kp-serverAuth or

* The issuing CA has a pathlen:0 constraint;

* The certificate has at least 64 bits of entropy from a CSPRNG in the
serial number.

CAs may only sign SHA-1 hashes over non-certificate data (e.g. OCSP
responses, CRLs) using certs which chain up to roots in Mozilla's
program if all of the following are true:

* Doing so is necessary for a documented compatibility reason;

* All of the signed data is static, or defined by the CA and not another

We intend to impose this requirement with a compliance deadline of 6
months, as it may require cutting new intermediates, and compatibility
testing with EKUs in intermediates.

This is a last call for objections that have not so far been raised.


More information about the Public mailing list