[cabfpub] Allowing SHA-1 OCSP and CRL signatures past 2016

Ryan Sleevi sleevi at google.com
Wed Oct 26 21:55:55 UTC 2016

Forwarding on behalf of Brian Smith

On Wed, Oct 26, 2016 at 2:39 PM, Brian Smith <brian at briansmith.org> wrote:

> [Please forward this message to the CABForum mailing list. Thanks!]
> Rick Andrews via Public <public at cabforum.org> wrote:
>> Rob, I think the primary use case is OCSP for code signing certificates
>> (and
>> the ICAs that sign them) that sign code that is validated on older
>> versions
>> of Windows that do not, and will not, support SHA-2.
> It would be best to narrow the scope of this exception to the minimum
> necessary:
> * Please clarify whether the signatures in question are the signatures on
> the OCSP responses, the signatures on the OCSP response signing
> certificate, or both.
> * If the exception is only necessary for code signing certificates then
> please narrow the scope to OCSP responses for code signing certificates and
> don't allow SHA-1 to be used in any signature needed to validate an OCSP
> response for SSL certificates.
> * And/or, if the exception is needed for some SSL certificates, but only
> for certificates that were signed with a SHA-1 signature, then please
> narrow the scope to certificates that were signed with a SHA-1 signature.
> * And/or if the exception is necessary for SSL certificates even in cases
> where all the certificate signatures are already SHA-2, but it is only
> needed for RSA signatures, then please narrow the scope to RSA signatures
> and in particular don't allow ECDSA-SHA1 signatures for OCSP.
> In particular, it would be good to avoid the case where it is required to
> verify a SHA-1 signature as part of OCSP processing for a SSL certificate
> when SHA-2 is used everywhere else.
> Thanks,
> Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161026/3ac5af7f/attachment-0003.html>

More information about the Public mailing list