On Wednesday, 12 October 2016 14:50:22 UTC+1, Gervase Markham  wrote:
> However, we would counsel all sites to move
> away from SHA-1 as the user experience will be as bad as the security.

A message I've seen from some security vendors, that I don't want us 
reinforcing, is the idea that the SHA-1 certificates themselves are a security 
problem and "upgrading" to a SHA-256 certificate improves security.

I think bank notes (outside the US) are a useful analogy. Sometimes the central 
bank may begin issuing a new note with improved anti-forgery features. To 
ensure forgers can't just keep making the old, more easily forged notes, these 
are eventually withdrawn from general use once enough of the new are in 

It would be a mistake to try to "improve" the security of your business by 
swapping all its cash for the latest notes. The new notes aren't "more secure" 
in a way that affects you, you haven't improved anything by doing this. Your 
business should pay attention to notices from the bank about new notes coming 
into circulation and about old ones being withdrawn, and make appropriate 
plans, but so long as it does that there's no problem.

Web PKI Subscribers should be switching to SHA-1 because their Issuer requires 
it. CA/B rules make that clear, compliance seems to be pretty good but browser 
vendors like Mozilla are taking out insurance against the possibility that 
somebody, somewhere, made a mistake. In my view for ordinary subscribers in the 
Web PKI it's primarily a compatibility issue, rather than a security issue. Off 
the Web PKI, in private systems, the risk/ reward may look very different. If 
your PKI only issues certificates on a sight basis to a handful of trusted 
individuals suddenly the chosen prefix attack doesn't look like a real security 
risk at all so SHA-1 seems fine.
dev-security-policy mailing list

Reply via email to