[cabfpub] SHA-1 Collision Found

Phillip Hallam-Baker philliph at comodo.com
Thu Feb 23 20:54:08 MST 2017


> On Feb 23, 2017, at 10:40 PM, Ryan Sleevi <sleevi at google.com> wrote:
> 
> 
> 
> On Thu, Feb 23, 2017 at 7:04 PM, philliph at comodo.com <mailto:philliph at comodo.com> <philliph at comodo.com <mailto:philliph at comodo.com>> wrote:
> If we are to lead, how about doing the obvious and setting a date by which servers and browsers are advised to provide support for SHA-3?
> 
> Hi Phillip,
> 
> Could you point me to any IETF documents that describe or specify how CAs would generate such signatures?
> 
> And can you point me to any HSM vendors that CAs might use to ensure that their private keys are appropriately protected when generating these signatures?
> 
> I look forward to engaging with you on how we can move the industry forward, and I look forward to opportunities to learn about what efforts Comodo has put forward in this space, as well as opportunities for how we as a Forum can work together to address the necessary and obvious concerns before discussing dates.

I did try to get SHA-3 added to the CURDLE working group work items. And I was told that nobody was asking for it. 

Things have to break before some people will act. Which is why I consider the proposal to further reduce validity intervals to provide more procrastination time positively harmful. The SHA-2 transition took a decade. We could have started five years earlier.

SHA-2 is a direct swap for SHA-3 however. All that is required is to define the necessary OIDs. And the CURDLE charter does not preclude SHA-3, it merely does not list them as current work items.

If we are going to judge proposals by the number of other industry players who support them, where does a proposal that only garners support of one other browser and one CA stand? 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170223/fcc6cd57/attachment.html>


More information about the Public mailing list