[cabfpub] Mozilla SHA-1 further restrictions

Peter Bowen pzb at amzn.com
Thu Nov 17 18:13:02 UTC 2016

> On Nov 17, 2016, at 9:01 AM, Gervase Markham via Public <public at cabforum.org> wrote:
> On 17/11/16 16:44, Andrew Ayer wrote:
>> If CAs really have to keep signing attacker-controlled non-certificate
>> data with SHA-1,
> Perhaps what we need is a collection of use cases?
> What do people need to sign which is not a cert?
> * OCSP response
> * CRL
> What else? And what parts of those things could be attacker-controlled?
> And how can the risk of signature transfer be mitigated?

Things that CA keys sign:

- Self-signed CA Certificate

- Transitive CA Certificate (that is a CA certificate where the Issuer is not the same as the Subject; what RFC 5280 and X.509 call a “cross certificate”)

- End-entity Certificate

- Certificate Revocation Lists (as defined in RFC 5280)

- OCSP response (as defined in RFC 6960)

- Precertificate (as defined in draft-ietf-trans-rfc6962-bis)

End-entity (EE) certificates can be broken down into:
- OCSP response signer certificates (includes id-kp-OCSPSigning and no other KP’s in the EKU extension and does not include keyCertSign or cRLSign in the KU extension)
- Other EE certs

I think that should cover all uses of CA keys.  Anyone have others?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161117/532b2b7e/attachment-0003.html>

More information about the Public mailing list