On Tue, 23 Feb 2016 13:12:27 -0800 Yuhong Bao <yuhongbao_...@hotmail.com> wrote:
> If OneCRL always used the same hash algorithm as the certificate, > then any colliding certificate would also be treated as revoked. OneCRL would need to use the hash of the TBS, not the certificate. The TBS is what's collided, but once the signature is added, the hashes are not identical anymore (unless the length of the TBS happens to be a multiple of the SHA-1 block size). Andrew _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
