[cabfpub] SHA-1 Collision Found
philliph at comodo.com
Fri Feb 24 03:54:08 UTC 2017
> On Feb 23, 2017, at 10:40 PM, Ryan Sleevi <sleevi at google.com> wrote:
> On Thu, Feb 23, 2017 at 7:04 PM, philliph at comodo.com <mailto:philliph at comodo.com> <philliph at comodo.com <mailto:philliph at comodo.com>> wrote:
> If we are to lead, how about doing the obvious and setting a date by which servers and browsers are advised to provide support for SHA-3?
> Hi Phillip,
> Could you point me to any IETF documents that describe or specify how CAs would generate such signatures?
> And can you point me to any HSM vendors that CAs might use to ensure that their private keys are appropriately protected when generating these signatures?
> I look forward to engaging with you on how we can move the industry forward, and I look forward to opportunities to learn about what efforts Comodo has put forward in this space, as well as opportunities for how we as a Forum can work together to address the necessary and obvious concerns before discussing dates.
I did try to get SHA-3 added to the CURDLE working group work items. And I was told that nobody was asking for it.
Things have to break before some people will act. Which is why I consider the proposal to further reduce validity intervals to provide more procrastination time positively harmful. The SHA-2 transition took a decade. We could have started five years earlier.
SHA-2 is a direct swap for SHA-3 however. All that is required is to define the necessary OIDs. And the CURDLE charter does not preclude SHA-3, it merely does not list them as current work items.
If we are going to judge proposals by the number of other industry players who support them, where does a proposal that only garners support of one other browser and one CA stand?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public