[cabfpub] Mozilla SHA-1 further restrictions

Gervase Markham gerv at mozilla.org
Thu Nov 17 16:18:17 UTC 2016


Let's try a v2, as the first one turns out to have been less than
ideally-drafted (even after several rounds of earlier review...):

(Note: this doesn't include a conclusion to the conversation about EKUs.)

<quote>
CAs may only sign SHA-1 hashes over end-entity certs which chain up to
roots in Mozilla's program if all the following are true:

1) The end-entity certificate:

  * is not within the scope of the Baseline Requirements;

  * contains an EKU extension with a single key purpose, which is not
    id-kp-serverAuth or anyExtendedKeyUsage;

  * has at least 64 bits of entropy from a CSPRNG in the serial number.

2) The issuing intermediate:

  * contains an EKU extension with a single key purpose, which is not
    id-kp-serverAuth or anyExtendedKeyUsage;

  * has a pathlen:0 constraint.

CAs may only sign SHA-1 hashes over non-certificate data (e.g. OCSP
responses, CRLs) using certs which chain up to roots in Mozilla's
program if all of the following are true:

* the cert has a Basic Constraints extension with a value of false in
  the cA component;

* Doing so is necessary for a documented compatibility reason;

* The CA takes care the all of the signed data is either static,
  defined by the CA, or of a known and expected form.
</quote>



More information about the Public mailing list