Thanks Neil, I've looked over the updated CP and CPS documents and have no further comments or questions.
Cheers, Andrew On Tue, Aug 15, 2017 at 12:18 PM, Neil Dunbar via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Andrew, > > SHA-1 has been removed from the TrustCor OCSP list of acceptable hash > algorithms for responder signatures. > > The minimum hash deemed acceptable now is SHA-256. We have updated the > CP/CPS in section 6.1.5 to clarify that SHA-1 will no longer be honoured as > a signature algorithm. > > Best regards, > > Neil Dunbar > TrustCor CA Administrator > > > > On 14 Aug 2017, at 20:48, Andrew Ayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > On Mon, 14 Aug 2017 20:27:05 +0100 > > Neil Dunbar via dev-security-policy > > <dev-security-policy@lists.mozilla.org> wrote: > > > >> Note that TrustCor is capable of removing SHA-1 as a signature hash on > >> OCSP responses, if the community determines it presents risk to the > >> relying parties. However, this does raise the risk to some clients > >> that would fail to understand the signature on the response. We > >> should prefer to service as many clients as faithfully as we can while > >> remaining true to the security principles of this community. > > > > Yes, OCSP responses signed with SHA-1 do present a risk, since a > > chosen prefix attack can be performed to forge OCSP responses and even > > certificates: > > https://www.mail-archive.com/dev-security-policy@lists. > mozilla.org/msg02999.html > > > > Even if you technically constrain your OCSP responder certificates as > > required by Mozilla policy section 5.1.1, forged OCSP responses are > > still possible if you use SHA-1. That would allow attackers to use > > revoked certificates. So it would be better if you didn't use SHA-1 at > > all for OCSP responses. > > > > Thanks for your consideration of security feedback from the community. > > > > Regards, > > Andrew > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy