On Mon, 14 Aug 2017 20:27:05 +0100 Neil Dunbar via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> Note that TrustCor is capable of removing SHA-1 as a signature hash on > OCSP responses, if the community determines it presents risk to the > relying parties. However, this does raise the risk to some clients > that would fail to understand the signature on the response. We > should prefer to service as many clients as faithfully as we can while > remaining true to the security principles of this community. Yes, OCSP responses signed with SHA-1 do present a risk, since a chosen prefix attack can be performed to forge OCSP responses and even certificates: https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg02999.html Even if you technically constrain your OCSP responder certificates as required by Mozilla policy section 5.1.1, forged OCSP responses are still possible if you use SHA-1. That would allow attackers to use revoked certificates. So it would be better if you didn't use SHA-1 at all for OCSP responses. Thanks for your consideration of security feedback from the community. Regards, Andrew _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy