[cabfpub] Mozilla SHA-1 further restrictions

Gervase Markham gerv at mozilla.org
Fri Nov 18 15:36:58 UTC 2016


On 18/11/16 15:27, Rob Stradling wrote:
> See
> https://tools.ietf.org/id/draft-ietf-trans-rfc6962-bis-20.html#rfc.section.3.2
> 
> Does that make them "non-certificate data" ?

I note the following in the RFC: "(Note that, because of the structure
of CMS, the signature on the CMS object will not be a valid X.509v3
signature and so cannot be used to construct a certificate from the
precertificate)."

Would one solution be to say that one condition on which signing
non-cert data is OK is that if the signature is not a valid X.509v3
signature? That would cover this case.

Gerv



More information about the Public mailing list