[cabfpub] Mozilla SHA-1 further restrictions

Gervase Markham gerv at mozilla.org
Thu Nov 17 17:00:13 UTC 2016


On 17/11/16 16:31, Erwann Abalea wrote:
> This results in the situation where a {BC:cA=True,
> keyUsage=keyCertSign+keyCrlSign} certificate would be denied the
> right to sign a CRL. Same reasoning with an OCSP response (signed by
> the CA itself).

Well, OK. I think what I'm trying to achieve here (not allowing signing
of attacker-controlled data) is clear; can someone tell me how to write
that?

>> Let's say someone signs an email cert from an intermediate without 
>> pathlen:0. If there's a collision, that signature can be passed to
>> an intermediate cert which can sign email certs for any email
>> address. But if it has a pathlen, they can only create an EE cert.
> 
> An attacker could collide and generate a self-issued CA certificate,
> again with BC:pathLenConstraint=0 (this is valid).

Er, I don't understand what you are saying here. If it's self-signed,
no-one would trust it. But it can't chain, because the intermediate
about has pathlen=0.

Gerv



More information about the Public mailing list