[cabfpub] Mozilla SHA-1 further restrictions

Gervase Markham gerv at mozilla.org
Fri Nov 18 15:06:09 UTC 2016

On 17/11/16 16:44, Andrew Ayer wrote:
>> CAs may only sign SHA-1 hashes over non-certificate data (e.g. OCSP
>> responses, CRLs) using certs which chain up to roots in Mozilla's
>> program if all of the following are true:
>> * the cert has a Basic Constraints extension with a value of false in
>>   the cA component;
>> * Doing so is necessary for a documented compatibility reason;
>> * The CA takes care the all of the signed data is either static,
>>   defined by the CA, or of a known and expected form.
> I think this change takes us in the wrong direction.  It would forbid
> pre-generation of static OCSP responses signed directly by a cA:true
> certificate, which is safe, while allowing good OCSP responses to be
> forged for revoked certificates.

If, as Peter's list seems to suggest, the only non-certificate data CAs
need to sign is CRLs and OCSP responses, perhaps we can just eliminate
the first bullet above?


More information about the Public mailing list