> On Nov 17, 2016, at 9:01 AM, Gervase Markham via Public <[email protected]> > wrote: > > On 17/11/16 16:44, Andrew Ayer wrote: >> If CAs really have to keep signing attacker-controlled non-certificate >> data with SHA-1, > > Perhaps what we need is a collection of use cases? > > What do people need to sign which is not a cert? > > * OCSP response > * CRL > > What else? And what parts of those things could be attacker-controlled? > And how can the risk of signature transfer be mitigated?
Things that CA keys sign: - Self-signed CA Certificate - Transitive CA Certificate (that is a CA certificate where the Issuer is not the same as the Subject; what RFC 5280 and X.509 call a “cross certificate”) - End-entity Certificate - Certificate Revocation Lists (as defined in RFC 5280) - OCSP response (as defined in RFC 6960) - Precertificate (as defined in draft-ietf-trans-rfc6962-bis) End-entity (EE) certificates can be broken down into: - OCSP response signer certificates (includes id-kp-OCSPSigning and no other KP’s in the EKU extension and does not include keyCertSign or cRLSign in the KU extension) - Other EE certs I think that should cover all uses of CA keys. Anyone have others? Thanks, Peter
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
