On 21/11/16 19:12, Gervase Markham wrote:
On 18/11/16 15:27, Rob Stradling wrote:
RFC6962 precertificates are X.509 certificates, but 6962-bis
precertificates are CMS signed-data objects.
See
https://tools.ietf.org/id/draft-ietf-trans-rfc6962-bis-20.html#rfc.section.3.2
Does that make them "non-certificate data" ?
Hang on... why would someone be signing one of these using SHA-1?
1. Sometimes CAs make mistakes. Perhaps you've noticed. ;-)
2. RFC6962 is geared towards the WebPKI, but I heard that at least one
CA (WoSign) was planning to submit all code signing certs and client
certs to public CT logs too.
3. It's not impossible that there are private RFC6962 deployments
outside the WebPKI.
SHA-1 use in the WebPKI is banned.
Indeed.
Regardless of any of the above, I think it's always a good idea to
categorize things as clearly as possible.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
