[cabfpub] Mozilla SHA-1 further restrictions

Rob Stradling rob.stradling at comodo.com
Fri Nov 18 15:27:44 UTC 2016

On 18/11/16 15:06, Gervase Markham via Public wrote:
> On 17/11/16 16:44, Andrew Ayer wrote:
>>> CAs may only sign SHA-1 hashes over non-certificate data (e.g. OCSP
>>> responses, CRLs) using certs which chain up to roots in Mozilla's
>>> program if all of the following are true:
>>> * the cert has a Basic Constraints extension with a value of false in
>>>   the cA component;
>>> * Doing so is necessary for a documented compatibility reason;
>>> * The CA takes care the all of the signed data is either static,
>>>   defined by the CA, or of a known and expected form.
>> I think this change takes us in the wrong direction.  It would forbid
>> pre-generation of static OCSP responses signed directly by a cA:true
>> certificate, which is safe, while allowing good OCSP responses to be
>> forged for revoked certificates.
> If, as Peter's list seems to suggest, the only non-certificate data CAs
> need to sign is CRLs and OCSP responses, perhaps we can just eliminate
> the first bullet above?

RFC6962 precertificates are X.509 certificates, but 6962-bis 
precertificates are CMS signed-data objects.


Does that make them "non-certificate data" ?

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list