[cabfpub] Mozilla SHA-1 further restrictions

Rob Stradling rob.stradling at comodo.com
Thu Nov 17 12:42:16 UTC 2016

On 17/11/16 11:48, Gervase Markham via Public wrote:
> Mozilla intends to place further restrictions (beyond those in the BRs)
> on the use of SHA-1 in hierarchies chaining up to our embedded roots.
> The goal here is to reduce the value of a SHA-1 collision to an
> attacker. (Bear in mind that Mozilla's root program covers email as well
> as server certs.) The current text has been discussed in m.d.s.policy,
> and is this:
> <quote>
> CAs may only sign SHA-1 hashes over end-entity certs which chain up to
> roots in Mozilla's program if all the following are true:
> * The certificate is not within the scope of the Baseline Requirements;
> * The issuing CA and the certificate itself both have a critical EKU
> extension with a single key purpose, which is not id-kp-serverAuth or
> anyExtendedKeyUsage;

Gerv, why must the EKU extension be critical?

If an application processes the EKU extension, the critical flag is 
redundant.  All of Mozilla's certificate path validation libraries 
process the EKU extension, right?  (I haven't seen an application blow 
up due to a critical EKU extension since Netscape 4.77!)

I don't remember ever seeing an intermediate cert with a critical EKU 
extension.  It would be unfortunate if your "further restrictions" lead 
to CAs reissuing their SHA-1 intermediates!


Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list