[cabfpub] Question raised during CABF call today
Rob Stradling
rob.stradling at comodo.com
Fri Nov 22 14:05:36 MST 2013
On 22/11/13 15:32, Paul Tiemann wrote:
>
> On Nov 22, 2013, at 4:48 AM, Rob Stradling <rob.stradling at comodo.com> wrote:
>
>> On 21/11/13 19:10, Geoff Keating wrote:
>> <snip>
>>> For OCSP, I don't believe we have any plans to change the algorithm used
>>> to hash the issuer name and public key in the OCSP request. I'd be
>>> interested in opinions as to whether this is necessary or desirable.
>>
>> Please keep using SHA-1 for the issuerNameHash and issuerKeyHash. Forever!
>
> +1
>
> Using anything else for issuerNameHas and issuerKeyHash would likely
> break most OCSP implementations (on both client and server side) and it wouldn't
> deliver any security gain.
I just looked at a recent day's worth of OCSP logs.
We received 15 OCSP Requests that used the "GOST R 34.11-94" hash
algorithm for the issuerNameHash and issuerKeyHash. The rest of the N
billion OCSP Requests we received all used SHA-1.
Not even a single OCSP Request used SHA-2 for issuerNameHash and
issuerKeyHash.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list