Mozilla intends to place further restrictions (beyond those in the BRs) on the use of SHA-1 in hierarchies chaining up to our embedded roots. The goal here is to reduce the value of a SHA-1 collision to an attacker. (Bear in mind that Mozilla's root program covers email as well as server certs.) The current text has been discussed in m.d.s.policy, and is this:
<quote> CAs may only sign SHA-1 hashes over end-entity certs which chain up to roots in Mozilla's program if all the following are true: * The certificate is not within the scope of the Baseline Requirements; * The issuing CA and the certificate itself both have a critical EKU extension with a single key purpose, which is not id-kp-serverAuth or anyExtendedKeyUsage; * The issuing CA has a pathlen:0 constraint; * The certificate has at least 64 bits of entropy from a CSPRNG in the serial number. CAs may only sign SHA-1 hashes over non-certificate data (e.g. OCSP responses, CRLs) using certs which chain up to roots in Mozilla's program if all of the following are true: * Doing so is necessary for a documented compatibility reason; * All of the signed data is static, or defined by the CA and not another party. </quote> We intend to impose this requirement with a compliance deadline of 6 months, as it may require cutting new intermediates, and compatibility testing with EKUs in intermediates. This is a last call for objections that have not so far been raised. Gerv _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
