Andrew, SHA-1 has been removed from the TrustCor OCSP list of acceptable hash algorithms for responder signatures.
The minimum hash deemed acceptable now is SHA-256. We have updated the CP/CPS in section 6.1.5 to clarify that SHA-1 will no longer be honoured as a signature algorithm. Best regards, Neil Dunbar TrustCor CA Administrator > On 14 Aug 2017, at 20:48, Andrew Ayer via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > On Mon, 14 Aug 2017 20:27:05 +0100 > Neil Dunbar via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > >> Note that TrustCor is capable of removing SHA-1 as a signature hash on >> OCSP responses, if the community determines it presents risk to the >> relying parties. However, this does raise the risk to some clients >> that would fail to understand the signature on the response. We >> should prefer to service as many clients as faithfully as we can while >> remaining true to the security principles of this community. > > Yes, OCSP responses signed with SHA-1 do present a risk, since a > chosen prefix attack can be performed to forge OCSP responses and even > certificates: > https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg02999.html > > Even if you technically constrain your OCSP responder certificates as > required by Mozilla policy section 5.1.1, forged OCSP responses are > still possible if you use SHA-1. That would allow attackers to use > revoked certificates. So it would be better if you didn't use SHA-1 at > all for OCSP responses. > > Thanks for your consideration of security feedback from the community. > > Regards, > Andrew > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy