Hanno Böck schrieb: > I believe the potential problem is a different one: Systems that accept > SHA256 on certificate signatures, but not on OCSP responses. I don't > know if such systems exist, but if I had to make a bet I'd say they do.
Roland does not talk about signature algorithms. He is considering something different: OCSP requests contain a CertId to identify the requested certificate. CertId contains hashes of the issuer public key and subject-dn. Roland wants to accept OCSP requests with sha1 issuer hashes (which is standard practice today), and issue OCSP responses for those requests with a CertId with sha256 hashes (which is unusual). Especially unusual is to respond with a different CertId than was used in the request. rfc6960 does not state that the response CertId must be constructed with the same algorithm as the request CertId. So, from a standards point of view all should be fine. Given that the code path for verification in e.g. openssl is slightly different for same-algorithm issuer hashes than for different-algorithm issuer hashes (see ocsp_check_ids() in ocsp_vfy.c), I would be surprised if this plan will work without some major bumps. But I don't have any hard data to contribute, and Roland has said that they already did some investigations, so he'll know more about the feasibilty of their plans than most of us here. Jürgen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
