On Wednesday, 12 October 2016 14:50:22 UTC+1, Gervase Markham wrote:
> However, we would counsel all sites to move
> away from SHA-1 as the user experience will be as bad as the security.
A message I've seen from some security vendors, that I don't want us
reinforcing, is the idea that the SHA-1 certificates themselves are a security
problem and "upgrading" to a SHA-256 certificate improves security.
I think bank notes (outside the US) are a useful analogy. Sometimes the central
bank may begin issuing a new note with improved anti-forgery features. To
ensure forgers can't just keep making the old, more easily forged notes, these
are eventually withdrawn from general use once enough of the new are in
It would be a mistake to try to "improve" the security of your business by
swapping all its cash for the latest notes. The new notes aren't "more secure"
in a way that affects you, you haven't improved anything by doing this. Your
business should pay attention to notices from the bank about new notes coming
into circulation and about old ones being withdrawn, and make appropriate
plans, but so long as it does that there's no problem.
Web PKI Subscribers should be switching to SHA-1 because their Issuer requires
it. CA/B rules make that clear, compliance seems to be pretty good but browser
vendors like Mozilla are taking out insurance against the possibility that
somebody, somewhere, made a mistake. In my view for ordinary subscribers in the
Web PKI it's primarily a compatibility issue, rather than a security issue. Off
the Web PKI, in private systems, the risk/ reward may look very different. If
your PKI only issues certificates on a sight basis to a handful of trusted
individuals suddenly the chosen prefix attack doesn't look like a real security
risk at all so SHA-1 seems fine.
dev-security-policy mailing list