On 02/23/16 18:57, Gervase Markham wrote: [snip] > Symantec may issue certificates to Worldpay if the following things are > true:
Based on what's happened with MD5 certificates, it seems the main risk of harm comes from something like a chosen-prefix collision attack using a specially constructed CSR. In this case, the serial number of the resulting colliding certificate can be forged, so Mozilla's revocation/OneCRL requirement wouldn't seem to do much unless the OneCRL entries are keyed on the tbsCertificate SHA1 hash or similar (and not the issuer+serial number or the whole certificate hash). If Mozilla is to allow this SHA1 issuance, it should also consider requiring steps to limit the impact of such attacks, such as one or more of: - Issuing the certificates from a subCA with a pathlen constraint that prevents that subCA from signing subsubCA certificates, which I gather is the already the case for most (all?) of Symantec's subCAs that directly issue TLS server certificates. - Including >80 bits of entropy in the serial numbers of these certificates. (The BRs recommend but do not require 20 bits, and Symantec does not follow this recommendation under some of their subCAs: https://crt.sh/?cablint=38&iCAID=1559) - Issuing the certificates via an internally operated (SHA-1) subCA that is technically constrained within the meaning of Mozilla's policy. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
