On Wednesday, August 17, 2016 at 2:55:50 AM UTC-7, Kurt Roeckx wrote: > I don't see that being asked, it was just pointed out that this is a > violation of the BR requirements, and that the CA certificate might get > added to OneCRL preventing it's use to issue certificates for server > authentication.
Except, as I tried to highlight, it's not clear that it's a BR violation (the scope problem), nor is the serial number a clear BR violation (SHOULD under previous versions, MUST not in effect yet) > The BR requirements only apply to certificates that can be used for > server authentication, and they say they stopped using that intermediate > certificate for server authentication at the start of the year. But the > SHA-1 requirement really is about all certificates, not just those that > need to comply with the BR requirements. Right, but this is the scope problem. > I don't think adding that CA certificate to OneCRL is enough, that would > only protect Mozilla users. They should revoke all the relevant > certificates. Define "relevant"? If a SHA-1 collision has been mounted, Hongkong Post revoking those SHA-1 certs does nothing, because the attacker can manipulate the serial number of the colliding certs. The only level at which any meaningful action can be taken is at the "1 - 10" CA layer - revoking that intermediate, such as by OneCRL and by Hongkong Post's CRL. The rest would just be for show, not security. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
