[cabfpub] SHA-1 Collision Found

philliph at comodo.com philliph at comodo.com
Fri Feb 24 17:58:24 UTC 2017

> On Feb 24, 2017, at 12:32 PM, Ryan Sleevi <sleevi at google.com> wrote:
> On Fri, Feb 24, 2017 at 7:17 AM, philliph at comodo.com <mailto:philliph at comodo.com> <philliph at comodo.com <mailto:philliph at comodo.com>> wrote:
> * The lack of HSM support is not a concern as HSM manufacturers respond to the decisions of bodies like CABForum.
> Hi Phillip,
> I've snipped much of your email, since I believe it's neither appropriate nor relevant for the list.

I edit your posts for the same reason.

> As you appear to have missed the point I was raising,

No, I fully understood the point you were trying to make. I disagree with you. Disagreeing with someone who is wrong is not the same as missing a point.

> which is unfortunate given your knowledge of the Web PKI, I would simply again highlight that if such a signature cannot be produced without exposing the key material, then that is very much a concern for the CA/Browser Forum.

Well as it happens, that is not a problem. 

* There is a set of FIPS requirements and testing regimes etc. for SHA-3
* There are HSMs that have met those requirements. 

What is a concern related to HSMs is that the transition is widely supported so CAs do not have to make major changes to their infrastructure or change suppliers or use different hardware for SHA-3 certificates.

The availability of HSMs is a concern but it is actually the very last but one on the critical path which is at present

* NIST issues FIPS (done)
* IETF publishes specification (started on this)
* CABForum amends guidelines to permit use
* Browsers add support
* HSM vendors ship product
* CAs issue certificates.

> We have already had this discussion before, but I do not believe you chose to participate, so it is unfortunate that you don't recognize the value in making productive, collaborative progress.

You think accusing me of suggesting we issue certificates before HSMs are available is an attempt to make productive collaborative progress?

I never made any such suggestion. It was a pure canard that you raised.

> This is the broader discussion, had during the last F2F (and some time before) about what the intrinsic goals are with the CA/B Forum requiring the use of a FIPS 140-2/3 Level 3 or CC EAL Level 4 key protection device. If the intent is solely for key protection, then the points Peter raised about utilizing 'raw' signing mode (whether PKCS#1 or literally raw RSA signing) are relevant - it suggests that the key material can be protected sufficiently (for RSA key sizes less than 4096 bits, assuming a FIPS-approved mode of operation) while still producing these signatures. If we take the view that such HSMs must operate in a FIPS-validated mode of operation, then it's very relevant to understand what methods exist to produce such signatures while still maintaining that operation (the method Peter raised is generally not available in a FIPS-approved mode of operation, depending on vendor, due to the fact that to maintain the FIPS mode of operation, the HSM needs to produce the message digest itself using an approved algorithm in an validated mode of operation). I realize that, given your general lack of participation in the Forum, except for pointing out when it's doing something you disagree with, you may not have followed those discussions, and may not have been aware that it's still very much an open and unresolved issue, with relevance to the operation of CAs today (particularly those with >= 4096-bit keys) and tomorrow (for those that would like to adopt EdDSA or SHA-3).

The issue is irrelevant.

The value of performing a transition of this type in advance is precisely that we can make such choices as we see fit. 

I do not see the need to issue SHA-3 certificates tomorrow or even next year. But I would like to be in a situation where we could begin issue in  36 months time should the need arise.

If CABForum decides it wants to do something and it is not completely ridiculous and is technically feasible then I have no doubt that the product managers at the HSM companies will provide product that meets those needs within an acceptable time frame.

The questions you raise are not relevant at this time. In fact they are purely orthogonal to the issue we are discussing.

> I do hope that, with some time to carefully reflect on the messages on the thread, to recognize where confusion might exist and reconsider the appropriateness of assuming you correctly understand the issue versus asking questions to clarify, you might be able to make a productive contribution to the discussion.

Perhaps if you could manage to make any posts without personal attacks, invectives or insults, I would take the last comment as being serious.

My CEO is reading every post I write here. I wonder how far up your management chain your activities here are being discussed. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170224/c0d98f5c/attachment-0003.html>

More information about the Public mailing list