[cabfpub] A better way to do SHA-1 legacy

Rob Stradling rob.stradling at comodo.com
Tue Jul 19 07:17:52 MST 2016


On 19/07/16 14:08, Gervase Markham wrote:
> On 18/07/16 18:36, philliph at comodo.com wrote:
>> Looking at the recent SHA-1 muck up, I am not confident that the
>> current approach works. It fails for the same reason that random
>> Elliptic Curve parameters fails, there is no mechanism that allows a
>> process for generating random numbers to be audited.
>>
>> So lets go to the solution we chose for EC - rigid construction. This
>> can be made to be auditable.
>
> This seems like a good idea; objections?

We only just voted to require serial numbers to contain "at least 64 
bits of output from a CSPRNG" [1] !  ;-)

Ballot 164 replaced '“entropy” with “CSPRNG” to make the requirement 
clearer and easier to audit'.  However, that's referring to the kind of 
auditing that can only be done by WebTrust/ETSI auditors, whereas 
rigidly constructed serial numbers would be auditable by anyone.

If rigidly constructed serial numbers are deemed acceptable when signing 
certs with a legacy signature algorithm (sha1WithRSAEncryption), would 
it also make sense to permit (or even require) rigidly constructed 
serial numbers to be used when signing with current/future signature 
algorithms (e.g. sha256WithRSAEncryption)?


[1] https://cabforum.org/2016/07/08/ballot-164/

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online



More information about the Public mailing list