[cabfpub] Mozilla SHA-1 further restrictions
Gervase Markham
gerv at mozilla.org
Thu Nov 17 17:00:13 UTC 2016
On 17/11/16 16:31, Erwann Abalea wrote:
> This results in the situation where a {BC:cA=True,
> keyUsage=keyCertSign+keyCrlSign} certificate would be denied the
> right to sign a CRL. Same reasoning with an OCSP response (signed by
> the CA itself).
Well, OK. I think what I'm trying to achieve here (not allowing signing
of attacker-controlled data) is clear; can someone tell me how to write
that?
>> Let's say someone signs an email cert from an intermediate without
>> pathlen:0. If there's a collision, that signature can be passed to
>> an intermediate cert which can sign email certs for any email
>> address. But if it has a pathlen, they can only create an EE cert.
>
> An attacker could collide and generate a self-issued CA certificate,
> again with BC:pathLenConstraint=0 (this is valid).
Er, I don't understand what you are saying here. If it's self-signed,
no-one would trust it. But it can't chain, because the intermediate
about has pathlen=0.
Gerv
More information about the Public
mailing list