On Wednesday, August 17, 2016 at 3:02:26 PM UTC+8, Matt Palmer wrote: > On Tue, Aug 16, 2016 at 10:22:36PM -0700, [email protected] wrote: > > and have been issuing SHA-256 SSL certificates under "Hongkong Post e-Cert > > CA 1- 14" and "Hongkong Post e-Cert CA 1 - 15" respectively > > "respectively" in what sense?
We took two stages of transitioning to a new BR-compliant subCA "Hongkong Post e-Cert CA 1 - 15" for issuing BR-compliant SSL certificates (https://bugzilla.mozilla.org/show_bug.cgi?id=1267332#c2): Stage 1: Start issuing SHA-256 SSL certificates from "Hongkong Post e-Cert CA 1 - 14" since 1 January 2015. At that moment, we had announced to stop issuing SHA-1 SSL certificates which are issued under "Hongkong Post e-Cert CA 1 - 10" from 1 January 2016 (http://www.hongkongpost.gov.hk/news/press/73.html). Stage 2: Start issuing SHA-256 SSL certificate supporting OCSP from "Hongkong Post e-Cert CA 1 - 15" from 1 September 2015. This subCA is used to issue BR-compliant SSL certificates. And we have also announced to stop issuing non-BR compliant SSL certificates under "Hongkong Post e-Cert CA 1 - 14" from 1 September 2016 (http://www.hongkongpost.gov.hk/news/press/76.html). > > > This certificate is a client certificate issued to a person for private > > use such as digital signature and encryption of electronic messages, but > > not for SSL server communication. > > What mitigations are in place to prevent someone from using a chosen prefix > attack to obtain a valid signature issued under this CA which is also valid > for a certificate which *could* be used for SSL server communication? > Through our effort of sunsetting the "Hongkong Post e-Cert CA 1 - 10" for SSL certificate, majority of SHA-1 SSL certificates will be expired by 31 Dec 2016, remaining only a few SHA-1 SSL certificates that are valid beyond 1 Jan 2017. And in our response to March 2016 CA Communication of Mozilla, we have also committed to have those certificates revoked by 31 Dec 2016. > - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
