[cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016
sleevi at google.com
Wed Oct 26 21:55:55 UTC 2016
Forwarding on behalf of Brian Smith
On Wed, Oct 26, 2016 at 2:39 PM, Brian Smith <brian at briansmith.org> wrote:
> [Please forward this message to the CABForum mailing list. Thanks!]
> Rick Andrews via Public <public at cabforum.org> wrote:
>> Rob, I think the primary use case is OCSP for code signing certificates
>> the ICAs that sign them) that sign code that is validated on older
>> of Windows that do not, and will not, support SHA-2.
> It would be best to narrow the scope of this exception to the minimum
> * Please clarify whether the signatures in question are the signatures on
> the OCSP responses, the signatures on the OCSP response signing
> certificate, or both.
> * If the exception is only necessary for code signing certificates then
> please narrow the scope to OCSP responses for code signing certificates and
> don't allow SHA-1 to be used in any signature needed to validate an OCSP
> response for SSL certificates.
> * And/or, if the exception is needed for some SSL certificates, but only
> for certificates that were signed with a SHA-1 signature, then please
> narrow the scope to certificates that were signed with a SHA-1 signature.
> * And/or if the exception is necessary for SSL certificates even in cases
> where all the certificate signatures are already SHA-2, but it is only
> needed for RSA signatures, then please narrow the scope to RSA signatures
> and in particular don't allow ECDSA-SHA1 signatures for OCSP.
> In particular, it would be good to avoid the case where it is required to
> verify a SHA-1 signature as part of OCSP processing for a SSL certificate
> when SHA-2 is used everywhere else.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public