[cabfpub] Application for SHA-1 Issuance

Gervase Markham gerv at mozilla.org
Fri Jul 22 11:19:58 UTC 2016


On 21/07/16 22:53, Dean Coclin wrote:
> Geoff, Thank you for the additional feedback.  It seems that several
> parties have similar comments.
> 
> Is it the consensus of the community to request that TSYS resubmit
> the TBS certificates, even though the counter crypt analysis so far
> has shown no issues? I realize that is an independent function but
> please provide feedback if you would like TSYS to do as Geoff
> suggests as soon as possible.

I am moving house next week, and so cannot guarantee my ability to
participate in this discussion.

Mozilla approves the application from TSYS (that is to say, we will
accept a qualified BR audit from their CA where the qualifications
relate to this event) on the condition that the serial numbers of the
final certificates follow some documented strict construction process,
in broadly the manner PHB outlined, using a modern crypto hash algorithm
in the process of serial number generation, using an earlier form of the
cert as input. I believe this should be a sufficient stopgap to reassure
the public (who cannot see inside the CA's or TSYS's operations) that
collisions are not being attempted. Other CAs may want the process
nailed down; the above is intended to be vague enough to accommodate
whatever they decide.

We do not (although others may) require that TSYS reuse old keys, or
remove the random identifiers from the OU.

Dean indicated on yesterday's call that following this type of process
was possible for Symantec if approval from browsers was provided
quickly. This is an attempt to provide such approval with the necessary
speed.

Gerv



More information about the Public mailing list