[cabfpub] SHA-1 Collision Found
Phillip Hallam-Baker
philliph at comodo.com
Thu Feb 23 20:54:08 MST 2017
> On Feb 23, 2017, at 10:40 PM, Ryan Sleevi <sleevi at google.com> wrote:
>
>
>
> On Thu, Feb 23, 2017 at 7:04 PM, philliph at comodo.com <mailto:philliph at comodo.com> <philliph at comodo.com <mailto:philliph at comodo.com>> wrote:
> If we are to lead, how about doing the obvious and setting a date by which servers and browsers are advised to provide support for SHA-3?
>
> Hi Phillip,
>
> Could you point me to any IETF documents that describe or specify how CAs would generate such signatures?
>
> And can you point me to any HSM vendors that CAs might use to ensure that their private keys are appropriately protected when generating these signatures?
>
> I look forward to engaging with you on how we can move the industry forward, and I look forward to opportunities to learn about what efforts Comodo has put forward in this space, as well as opportunities for how we as a Forum can work together to address the necessary and obvious concerns before discussing dates.
I did try to get SHA-3 added to the CURDLE working group work items. And I was told that nobody was asking for it.
Things have to break before some people will act. Which is why I consider the proposal to further reduce validity intervals to provide more procrastination time positively harmful. The SHA-2 transition took a decade. We could have started five years earlier.
SHA-2 is a direct swap for SHA-3 however. All that is required is to define the necessary OIDs. And the CURDLE charter does not preclude SHA-3, it merely does not list them as current work items.
If we are going to judge proposals by the number of other industry players who support them, where does a proposal that only garners support of one other browser and one CA stand?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170223/fcc6cd57/attachment.html>
More information about the Public
mailing list