[cabfpub] FW: Ballot - expiration of SHA1 certificates

Gervase Markham gerv at mozilla.org
Mon Sep 8 11:13:00 MST 2014


On 08/09/14 18:34, Erwann Abalea wrote:
> Once the signature is done (using SHA1), the risk is a preimage one, and 
> SHA1 isn't concerned so far.

I agree; I understand the difference between preimage attacks and
collision attacks. But as a wise man said, attacks only get better. And
I would add "private attacks are almost always better than public
attacks", i.e. it's rare that the most advanced analysis is that which
has been published.

> But I prefer analysis and risk management driven decisions, if possible. 
> If risk management tells us that SHA1's resistance to preimage can't be 
> trusted, ok, let's switch everything to SHA2: all signatures, but also 
> PRF used in TLS<1.2, entropy pools in OS and libraries, maybe entropy 
> filtering on HSMs, other?

It seems to me, from observance of history, that risk management in hash
algorithms is best done by "when it starts to look weak, drop it like
the beat in a hip-hop club".

Gerv


More information about the Public mailing list