[cabfpub] SHA1 options for payment processors

Ryan Sleevi sleevi at google.com
Thu Apr 7 20:44:21 UTC 2016


On Thu, Apr 7, 2016 at 1:30 PM, Peter Bowen <pzb at amzn.com> wrote:

> I would posit that it might be acceptable to even allow a short window
> (say now until May 31, 2016) to log SHA-1 or SHA-2 certificates that will
> be eligible for “cloning” to SHA-1 certificates.
>

That might work. There's a part of me that would like a "no backdating"
ballot before that, but since that would equally rely on trusting the
auditors to catch it (in the future), and since it wouldn't cover CAs that
immediately started backdating once Andrew sent his email (Sorry, we have
to assume an adversarial model), maybe it's not essential for this - and
just separately good.


>  However I would want to get an update from the team that published the
> free-start collision to see if they have made progress to a full collision
> before committing to that.
>

I've tried reaching out to the team to get feedback on your proposal, and
will share whatever I hear from them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160407/a6ca3176/attachment-0003.html>


More information about the Public mailing list