[cabfpub] Mozilla SHA-1 further restrictions
Rob Stradling
rob.stradling at comodo.com
Thu Nov 17 12:42:16 UTC 2016
On 17/11/16 11:48, Gervase Markham via Public wrote:
> Mozilla intends to place further restrictions (beyond those in the BRs)
> on the use of SHA-1 in hierarchies chaining up to our embedded roots.
> The goal here is to reduce the value of a SHA-1 collision to an
> attacker. (Bear in mind that Mozilla's root program covers email as well
> as server certs.) The current text has been discussed in m.d.s.policy,
> and is this:
>
> <quote>
> CAs may only sign SHA-1 hashes over end-entity certs which chain up to
> roots in Mozilla's program if all the following are true:
>
> * The certificate is not within the scope of the Baseline Requirements;
>
> * The issuing CA and the certificate itself both have a critical EKU
> extension with a single key purpose, which is not id-kp-serverAuth or
> anyExtendedKeyUsage;
Gerv, why must the EKU extension be critical?
If an application processes the EKU extension, the critical flag is
redundant. All of Mozilla's certificate path validation libraries
process the EKU extension, right? (I haven't seen an application blow
up due to a critical EKU extension since Netscape 4.77!)
I don't remember ever seeing an intermediate cert with a critical EKU
extension. It would be unfortunate if your "further restrictions" lead
to CAs reissuing their SHA-1 intermediates!
<snip>
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list