RE: OCSP Responders Are An Attack Vector For SHA-1 Collisions

2016-03-10 Thread Mads Egil Henriksveen
: OCSP Responders Are An Attack Vector For SHA-1 Collisions Hi Andrew Thank you for making us aware of this issue with our OCSP responder. We did make a major change in our CAs some years ago where we among other things established a new OCSP responder for all Buypass CAs used for SSL/TLS

RE: [FORGED] Re: OCSP Responders Are An Attack Vector For SHA-1 Collisions

2016-03-09 Thread Peter Gutmann
Andrew Ayer [a...@andrewayer.name] writes: >Are there clients that will choke if they receive a response without the >expected nonce? See my previous message, since no public CAs honour nonces [0] I don't think there'd be any problem. Peter. [0] At least as of the last check a few years ago.

Re: OCSP Responders Are An Attack Vector For SHA-1 Collisions

2016-03-09 Thread Andrew Ayer
On Wed, 9 Mar 2016 21:40:32 +0100 Jakob Bohm wrote: > 1. Use a non-CA OCSP certificate if the relevant clients are known to >support this aspect of the OCSP protocol (I don't know if any OCSP >clients, historic or otherwise, lack this ability). Using a dedicated

Re: OCSP Responders Are An Attack Vector For SHA-1 Collisions

2016-03-09 Thread Jakob Bohm
On 10/03/2016 00:22, Peter Gutmann wrote: Jakob Bohm writes: 2. Find a way to add OCSP responder chosen random data in each OCSP response. Responder or requester? You've got the OCSP nonce, although since every (public) CA has disabled it that probably won't help

Re: OCSP Responders Are An Attack Vector For SHA-1 Collisions

2016-03-09 Thread Peter Bowen
On Wed, Mar 9, 2016 at 12:40 PM, Jakob Bohm wrote: > 1. Use a non-CA OCSP certificate if the relevant clients are known to > support this aspect of the OCSP protocol (I don't know if any OCSP > clients, historic or otherwise, lack this ability). Such an OCSP >

RE: OCSP Responders Are An Attack Vector For SHA-1 Collisions

2016-03-09 Thread Peter Gutmann
Jakob Bohm writes: >2. Find a way to add OCSP responder chosen random data in each OCSP > response. Responder or requester? You've got the OCSP nonce, although since every (public) CA has disabled it that probably won't help much. OTOH since clients won't be checking

Re: OCSP Responders Are An Attack Vector For SHA-1 Collisions

2016-03-09 Thread Jakob Bohm
On 09/03/2016 20:03, Yuhong Bao wrote: I know of one blocker: Microsoft. Their TechNet article at aka.ms/sha1 says that CAs are allowed to use SHA-1 and SHA-2 for OCSP signing certs and OCSP responses, to allow continued support for XP SP1 and 2, and Server 2003. Using SHA-2 only for OCSP

Re: OCSP Responders Are An Attack Vector For SHA-1 Collisions

2016-03-09 Thread Rob Stradling
On 09/03/16 19:03, Yuhong Bao wrote: I know of one blocker: Microsoft. Their TechNet article at aka.ms/sha1 says that CAs are allowed to use SHA-1 and SHA-2 for OCSP signing certs and OCSP responses, to allow continued support for XP SP1 and 2, and Server 2003. Using SHA-2 only for OCSP

RE: OCSP Responders Are An Attack Vector For SHA-1 Collisions

2016-03-09 Thread Yuhong Bao
> I know of one blocker: Microsoft. Their TechNet article at aka.ms/sha1 says > that CAs are allowed to use SHA-1 and SHA-2 for OCSP signing certs and OCSP > responses, to allow continued support for XP SP1 and 2, and Server 2003. > Using SHA-2 only for OCSP signing certs and OCSP responses

Re: OCSP Responders Are An Attack Vector For SHA-1 Collisions

2016-03-09 Thread Rick Andrews
> I would note that we could also combine these responses. For example, we > might require that CAs retire SHA-1 for OCSP with a long-ish horizon, but > require them to use constrained OCSP certs basically ASAP. > > Of course, if we could just turn off SHA-1 for OCSP, that would be > fantastic.

RE: OCSP Responders Are An Attack Vector For SHA-1 Collisions

2016-03-09 Thread Mads Egil Henriksveen
22:58 To: mozilla-dev-security-pol...@lists.mozilla.org Subject: OCSP Responders Are An Attack Vector For SHA-1 Collisions As we all know, the Baseline Requirements forbid signing certificates with SHA-1 after January 1, 2016. However, both the BRs and Mozilla policy are silent on the topic

Re: OCSP Responders Are An Attack Vector For SHA-1 Collisions

2016-03-08 Thread Richard Barnes
On Tue, Mar 8, 2016 at 4:58 PM, Andrew Ayer wrote: > As we all know, the Baseline Requirements forbid signing certificates > with SHA-1 after January 1, 2016. However, both the BRs and Mozilla > policy are silent on the topic of OCSP response signatures[1]. >

OCSP Responders Are An Attack Vector For SHA-1 Collisions

2016-03-08 Thread Andrew Ayer
As we all know, the Baseline Requirements forbid signing certificates with SHA-1 after January 1, 2016. However, both the BRs and Mozilla policy are silent on the topic of OCSP response signatures[1]. Theoretically, CAs could continue to sign OCSP responses with SHA-1 indefinitely. Indeed, among