RE: OCSP Responders Are An Attack Vector For SHA-1 Collisions

: OCSP Responders Are An Attack Vector For SHA-1 Collisions Hi Andrew Thank you for making us aware of this issue with our OCSP responder. We did make a major change in our CAs some years ago where we among other things established a new OCSP responder for all Buypass CAs used for SSL/TLS

RE: [FORGED] Re: OCSP Responders Are An Attack Vector For SHA-1 Collisions

Andrew Ayer [a...@andrewayer.name] writes: >Are there clients that will choke if they receive a response without the >expected nonce? See my previous message, since no public CAs honour nonces [0] I don't think there'd be any problem. Peter. [0] At least as of the last check a few years ago.

Re: OCSP Responders Are An Attack Vector For SHA-1 Collisions

On Wed, 9 Mar 2016 21:40:32 +0100 Jakob Bohm wrote: > 1. Use a non-CA OCSP certificate if the relevant clients are known to >support this aspect of the OCSP protocol (I don't know if any OCSP >clients, historic or otherwise, lack this ability). Using a dedicated

Re: OCSP Responders Are An Attack Vector For SHA-1 Collisions

On 10/03/2016 00:22, Peter Gutmann wrote: Jakob Bohm writes: 2. Find a way to add OCSP responder chosen random data in each OCSP response. Responder or requester? You've got the OCSP nonce, although since every (public) CA has disabled it that probably won't help

Re: OCSP Responders Are An Attack Vector For SHA-1 Collisions

On Wed, Mar 9, 2016 at 12:40 PM, Jakob Bohm wrote: > 1. Use a non-CA OCSP certificate if the relevant clients are known to > support this aspect of the OCSP protocol (I don't know if any OCSP > clients, historic or otherwise, lack this ability). Such an OCSP >

RE: OCSP Responders Are An Attack Vector For SHA-1 Collisions

Jakob Bohm writes: >2. Find a way to add OCSP responder chosen random data in each OCSP > response. Responder or requester? You've got the OCSP nonce, although since every (public) CA has disabled it that probably won't help much. OTOH since clients won't be checking

Re: OCSP Responders Are An Attack Vector For SHA-1 Collisions

On 09/03/2016 20:03, Yuhong Bao wrote: I know of one blocker: Microsoft. Their TechNet article at aka.ms/sha1 says that CAs are allowed to use SHA-1 and SHA-2 for OCSP signing certs and OCSP responses, to allow continued support for XP SP1 and 2, and Server 2003. Using SHA-2 only for OCSP

Re: OCSP Responders Are An Attack Vector For SHA-1 Collisions

On 09/03/16 19:03, Yuhong Bao wrote: I know of one blocker: Microsoft. Their TechNet article at aka.ms/sha1 says that CAs are allowed to use SHA-1 and SHA-2 for OCSP signing certs and OCSP responses, to allow continued support for XP SP1 and 2, and Server 2003. Using SHA-2 only for OCSP

RE: OCSP Responders Are An Attack Vector For SHA-1 Collisions

> I know of one blocker: Microsoft. Their TechNet article at aka.ms/sha1 says > that CAs are allowed to use SHA-1 and SHA-2 for OCSP signing certs and OCSP > responses, to allow continued support for XP SP1 and 2, and Server 2003. > Using SHA-2 only for OCSP signing certs and OCSP responses

Re: OCSP Responders Are An Attack Vector For SHA-1 Collisions

> I would note that we could also combine these responses. For example, we > might require that CAs retire SHA-1 for OCSP with a long-ish horizon, but > require them to use constrained OCSP certs basically ASAP. > > Of course, if we could just turn off SHA-1 for OCSP, that would be > fantastic.

RE: OCSP Responders Are An Attack Vector For SHA-1 Collisions

Hi Andrew Thank you for making us aware of this issue with our OCSP responder. We did make a major change in our CAs some years ago where we among other things established a new OCSP responder for all Buypass CAs used for SSL/TLS-certificates (including Buypass Class 2 CA 1). However, the

Re: OCSP Responders Are An Attack Vector For SHA-1 Collisions

On Tue, Mar 8, 2016 at 4:58 PM, Andrew Ayer wrote: > As we all know, the Baseline Requirements forbid signing certificates > with SHA-1 after January 1, 2016. However, both the BRs and Mozilla > policy are silent on the topic of OCSP response signatures[1]. >