On Wed, 17 Aug 2016 19:08:08 +0200 Kurt Roeckx <k...@roeckx.be> wrote:
> On Wed, Aug 17, 2016 at 09:55:24AM -0700, Ryan Sleevi wrote: > > > I don't think adding that CA certificate to OneCRL is enough, > > > that would only protect Mozilla users. They should revoke all > > > the relevant certificates. > > > > Define "relevant"? If a SHA-1 collision has been mounted, Hongkong > > Post revoking those SHA-1 certs does nothing, because the attacker > > can manipulate the serial number of the colliding certs. The only > > level at which any meaningful action can be taken is at the "1 - > > 10" CA layer - revoking that intermediate, such as by OneCRL and by > > Hongkong Post's CRL. The rest would just be for show, not security. > > It's my understanding that the attack depends on the serial being > predictable, since it's at the start of the certificate. But I > guess they might not need the whole serial to match, I have no > idea at which point it starts to get more practicle to attack. The attacker has to be able to control (or predict) the prefix of the data signed by the CA (which in the case of a TBSCertificate, includes the serial number), as well as the prefix of the forged certificate. However, they do not have to be the same, and their similarity has no bearing whatsoever on the practicality of the attack. In fact, the data signed by the CA need not even be a TBSCertificate - if a CA signs an OCSP response with SHA-1, an attacker could forge a certificate[1]. This is why action must be taken at the level of the key doing the SHA-1 signing - that is, the intermediate CA level. Regards, Andrew [1] https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg02999.html _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
