On 04/11/16 23:51, Andrew Ayer wrote: > The March 2016 CA communication said[1]: > > "It has been pointed out in the mozilla.dev.security.policy forum that > a chosen-prefix attack on SHA-1 could be used to forge a certificate if > a CA's private key is used to sign *anything* with SHA-1." > > Therefore, CAs participating in the Mozilla program know that this > practice is dangerous.
This is true; however, unfortunately, I don't believe this amounts to a requirement that CAs should not use SHA-1 at all any more. > Frankly, I'm disappointed that despite my efforts to draw attention to > this issue in March, both in the context of non-serverAuth certificates[2] > and OCSP responses[3], Mozilla took no further action, such as > amending Mozilla policy or proposing a CABF ballot to plug this hole. Your disappointment stings. > If they had sent an incident report to Mozilla I would agree, but I do > not think that CAs should be credited for noticing mistakes when they > try to sweep them under the rug. This is particularly true in the case > of SHA-1 misissuance, where revoking without broader notification > demonstrates not competence but rather a lack of understanding of the > risks. Your point being that if they do disclose, the community can then run crypto analysis over the cert to see if it's likely to be constructed as part of a collision attempt? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
