On Tue, Feb 23, 2016 at 1:44 PM, Charles Reiss <[email protected]> wrote:
> On 02/23/16 18:57, Gervase Markham wrote: > [snip] > > Symantec may issue certificates to Worldpay if the following things are > > true: > > Based on what's happened with MD5 certificates, it seems the main risk > of harm comes from something like a chosen-prefix collision attack using > a specially constructed CSR. In this case, the serial number of the > resulting colliding certificate can be forged, so Mozilla's > revocation/OneCRL requirement wouldn't seem to do much unless the OneCRL > entries are keyed on the tbsCertificate SHA1 hash or similar (and not > the issuer+serial number or the whole certificate hash). > > If Mozilla is to allow this SHA1 issuance, it should also consider > requiring steps to limit the impact of such attacks, such as one or more > of: > > - Issuing the certificates from a subCA with a pathlen constraint that > prevents that subCA from signing subsubCA certificates, which I gather > is the already the case for most (all?) of Symantec's subCAs that > directly issue TLS server certificates. > I don't think it makes sense to require Symantec to stand up a new subCA, given the time horizon. However, it would be good to see if they could use an existing subCA that is constrained in this way. > - Including >80 bits of entropy in the serial numbers of these > certificates. (The BRs recommend but do not require 20 bits, and > Symantec does not follow this recommendation under some of their subCAs: > https://crt.sh/?cablint=38&iCAID=1559) > This is an excellent idea. > - Issuing the certificates via an internally operated (SHA-1) subCA that > is technically constrained within the meaning of Mozilla's policy. > As above, I don't think making a new subCA makes sense. This could be a reasonable approach for longer-range issues, though, should any arise. --Richard > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
