[cabfpub] SHA-1 Collision Found

philliph at comodo.com philliph at comodo.com
Fri Feb 24 15:17:21 UTC 2017


> On Feb 23, 2017, at 11:59 PM, Ryan Sleevi <sleevi at google.com> wrote:
> 
> 
> 
> On Thu, Feb 23, 2017 at 8:52 PM, Peter Bowen <pzb at amzn.com <mailto:pzb at amzn.com>> wrote:
> All that is preventing the use of id-rsassa-pkcs1-v1_5-with-sha3-256, id-rsassa-pkcs1-v1_5-with-sha3-384, and id-rsassa-pkcs1-v1_5-with-sha3-512 is (1) the BRs and (2) lack of implantation by browsers.  When is Chrome planning to support these algorithms?
> 
> As there has not been any bug request filed from any member at present, it hasn't been added to any roadmaps that I can share. 

There is a field of study in political science called agenda denial.

That is what people do when they don’t want to actually deal with a particular argument where they know they are at a disadvantage.

Instead of actually engaging on the issue, they challenge the right to raise it. It is always too soon or too late or it has not been raised in the right form. The people trying to raise it did not check the correct box on the right form at the right time. In one venue it is necessary to wait for the other to act, in the other venue the situation is reversed. Or they raised the question in the wrong way.

In every case the tactic is to attack the person making the proposal and their right to raise it rather than deal with the issue on the merits.


The WebPKI has always had two de-facto standard digest algorithms. With the final break of SHA-1 and the publication of SHA-3, there is an urgent need and the ability to specify a new algorithm.

I am raising the SHA-3 issue right now.


To address the points you raised:

* Since CABForum has taken on the role of approving algorithms for the WebPKI, the place to begin a process of rolling out a backup algorithm is here. The IETF frequently receives requests from similar bodies to provide technical support for such proposals and they are almost invariably accepted. I have contacted the Security ADs for advice.

* The lack of HSM support is not a concern as HSM manufacturers respond to the decisions of bodies like CABForum.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170224/42e6e24e/attachment-0003.html>


More information about the Public mailing list