[cabfpub] Mozilla SHA-1 further restrictions

Gervase Markham gerv at mozilla.org
Tue Nov 22 11:02:00 UTC 2016

On 22/11/16 10:35, Erwann Abalea wrote:
> The nonce is an OCTET STRING, with no constraint. As are the
> issuerKeyHash, issuerNameHash, and serialNumber.

Right. But those 3 things are constants, and other things in the OCSP
response, such as timestamps, are not. So in order to engineer a
collision using them, you'd have to set it up so that a collision worked
with a date some time in the future, and then persuade the CA to sign an
OCSP response on exactly that date and time. Seems tricky.

The nonce, on the other hand, is random and different for each. So it's
AfAICS allowing nonces is higher-risk than the issues posed by the other
3 fields you name.

> Of course the best answer should be to completely ban SHA1. But since
> we’re struggling with legacy stuff, my proposal would be to ban SHA-1
> OCSP signing from a CA key, and instead use a designated OCSP
> responder certificate for such responses.

Do other CAs have comments on the level of disruption that such a
mandate might cause? AIUI, if this were required, then a SHA-1 collision
using an OCSP response could only be used to fake another OCSP response.
Which sounds like good risk reduction.


More information about the Public mailing list