On 07/11/16 17:09, Nick Lamb wrote: > On Monday, 7 November 2016 13:53:31 UTC, Gervase Markham wrote: >> You mean EKU-constrained (e.g. to email, or OCSP only)? > > I was thinking also of a pathlen constraint.
Aha. So what would this look like? Something like this? CAs may only issue SHA-1 end-entity certs chaining up to roots in Mozilla's program if the following is true: * The certificate is not within the scope of the Baseline Requirements; * The issuing CA and the certificate itself both have a critical EKU extension with a single key purpose, which is not id-kp-serverAuth or anyExtendedKeyUsage; * The issuing CA has a pathlen:0 constraint * The certificate has at least 64 bits of entropy from a CSPRNG in the serial number I guess it doesn't cover signing other things like OCSP responses. Perhaps we could add: * CAs may sign other data (such as OCSP responses) with SHA-1 for compatibility reasons, as long as all of the signed data is static, or defined by the CA and not by a customer. Is this heading in the right direction? Too weak, too strong? Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
