That's a good idea Corey. I've made a change to boulder <https://github.com/letsencrypt/boulder/pull/7179> to use that method for end-entity certificates and have updated the ceremony-demos output <https://github.com/letsencrypt/ceremony-demos/tree/7ef37c05d549f692dfae95640f503ea2170bf707/outputs/2023>. We were indeed on a path to using the full SHA-256 hash. Thanks!
On Mon, Dec 4, 2023 at 8:51 PM Peter Gutmann <[email protected]> wrote: > 'Corey Bonnell' via [email protected] writes: > > >I am wondering about the rationale for switching the hash algorithm used > for > >generating SKIs. If the full SHA-256 hash of the subjectPublicKey is used > as > >the SKI value, then the intermediate certificate and end-entity > certificate > >will each be 12 octets larger (256-bit SHA-256 hash vs. 160-bit SHA-1 > hash). > > And in particular the sKID is an implicit value, not an explicit value. In > other words it can be anything that works for the CA, not explicitly a > hash of > the public key with a specific algorithm, although that's a very common > way to > create it. > > In terms of the announcement: > > They will use SHA256 to compute their Subject Key Identifiers instead of > SHA1. > > while that sort of implies use of the full hash, it could actually be > anything, just using SHA256 instead of SHA1 at some step of the process. > > Peter. > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/SY4PR01MB62511ED00308FF7E72E6B40AEE85A%40SY4PR01MB6251.ausprd01.prod.outlook.com > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CACpGwJbjac-crR%3DTbeMbTCpC37WP8gdT7QYXc61A7jHSPAAGkw%40mail.gmail.com.
