On Wednesday, August 17, 2016 at 10:31:29 AM UTC-7, Andrew Ayer wrote: > The attacker has to be able to control (or predict) the prefix of the > data signed by the CA (which in the case of a TBSCertificate, includes > the serial number), as well as the prefix of the forged certificate. > However, they do not have to be the same, and their similarity has no > bearing whatsoever on the practicality of the attack. In fact, the > data signed by the CA need not even be a TBSCertificate - if a CA signs > an OCSP response with SHA-1, an attacker could forge a certificate[1]. > This is why action must be taken at the level of the key doing the > SHA-1 signing - that is, the intermediate CA level. > > Regards, > Andrew > > [1] > https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg02999.html
Based on this statement I would assume we need to worry about root CAs issuing SHA-1 CRLs? Regards, Curt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
