• Авторизация


Gervase Markham: Killing SHA-1 Properly 07-11-2016 18:12 к комментариям - к полной версии - понравилось!


Currently, Mozilla’s ban on using the old and insecure SHA-1 hash algorithm as part of the construction of digital certificates is implemented via the ban in the CAB Forum Baseline Requirements, which we require all CAs to adhere to. However, implementing the ban via the BRs is problematic for a number of reasons:

  • It allows the issuance of SHA-1 certs in publicly-trusted hierarchies in those cases where the cert is not within scope of the BRs (e.g. email certs).
  • The scope of the BRs is a matter of debate, and so there are grey areas, as well as areas clearly outside scope, where SHA-1 issuance could happen.
  • Even when the latest version of Firefox stops trusting SHA-1 certs in January, a) that block is overrideable, and b) that doesn’t address risks to older versions.

Therefore, I’ve started a discussion on updating Mozilla’s CA policy to implement a “proper” SHA-1 ban, which we would implement via a CA Communication, and
then later in an updated version of our policy. See mozilla.dev.security.policy if you want to contribute to the discussion.

http://feedproxy.google.com/~r/HackingForChrist/~3/O1Q6JsxwwCw/

вверх^ к полной версии понравилось! в evernote


Вы сейчас не можете прокомментировать это сообщение.

Дневник Gervase Markham: Killing SHA-1 Properly | rss_planet_mozilla - Planet Mozilla | Лента друзей rss_planet_mozilla / Полная версия Добавить в друзья Страницы: раньше»