[cabfpub] Mozilla SHA-1 further restrictions
gerv at mozilla.org
Thu Nov 17 17:01:38 UTC 2016
On 17/11/16 16:44, Andrew Ayer wrote:
> If CAs really have to keep signing attacker-controlled non-certificate
> data with SHA-1,
Perhaps what we need is a collection of use cases?
What do people need to sign which is not a cert?
* OCSP response
What else? And what parts of those things could be attacker-controlled?
And how can the risk of signature transfer be mitigated?
More information about the Public