On Wed, Aug 17, 2016 at 11:43:45AM -0700, [email protected] wrote: > On Wednesday, August 17, 2016 at 10:31:29 AM UTC-7, Andrew Ayer wrote: > > The attacker has to be able to control (or predict) the prefix of the > > data signed by the CA (which in the case of a TBSCertificate, includes > > the serial number), as well as the prefix of the forged certificate. > > However, they do not have to be the same, and their similarity has no > > bearing whatsoever on the practicality of the attack. In fact, the > > data signed by the CA need not even be a TBSCertificate - if a CA signs > > an OCSP response with SHA-1, an attacker could forge a certificate[1]. > > This is why action must be taken at the level of the key doing the > > SHA-1 signing - that is, the intermediate CA level. > > > > Regards, > > Andrew > > > > [1] > > https://www.mail-archive.com/[email protected]/msg02999.html > > Based on this statement I would assume we need to worry about root CAs > issuing SHA-1 CRLs?
I think OCSP with a nonce and SHA-1 is probably more something to worry about. Kurt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
