Account confirmers, Anti-spam team, Confirmed users, Bureaucrats and Sysops emeriti
4,925
edits
CA/PROCERT Issues: Difference between revisions
Jump to navigation
Jump to search
Add info about March 2016 CA Communication
(Further updates) |
(Add info about March 2016 CA Communication) |
||
| Line 85: | Line 85: | ||
==Issue P: Use of SHA-1 To Sign OCSP Responses (Unknown - August 2017)== | ==Issue P: Use of SHA-1 To Sign OCSP Responses (Unknown - August 2017)== | ||
PROCERT OCSP responses are signed with SHA-1 and, since they reflect an attacker-controlled serial number, is vulnerable to a chosen prefix attack. This is not formally against documented policy but in the [https://ccadb-public.secure.force.com/mozillacommunications/CACommRespWithTextAndTotalsReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00020&QuestionIdForText=Q00026 April CA Communication], PROCERT affirmed that "SHA-1 certificates are no longer used in the infrastructure related to our root certificates included in Mozilla's CA Certificate Program. (e.g. SHA-1 is no longer used to sign OCSP responses)." | PROCERT OCSP responses are signed with SHA-1 and, since they reflect an attacker-controlled serial number, is vulnerable to a chosen prefix attack. This is not formally against documented policy but in the [https://ccadb-public.secure.force.com/mozillacommunications/CACommRespWithTextAndTotalsReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00020&QuestionIdForText=Q00026 April 2017 CA Communication], PROCERT affirmed that "SHA-1 certificates are no longer used in the infrastructure related to our root certificates included in Mozilla's CA Certificate Program. (e.g. SHA-1 is no longer used to sign OCSP responses)." They asserted something similar in the [https://ccadb-public.secure.force.com/mozillacommunications/CACommRespWithTextAndTotalsReport?CommunicationId=a05o000000iHdtx&QuestionId=Q00010&QuestionIdForText=Q00011 March 2016 CA Communication]. However, this appears not to be true. | ||
==Issue Q: CRL Distribution Points Using HTTPS (August 2012 - August 2017)== | ==Issue Q: CRL Distribution Points Using HTTPS (August 2012 - August 2017)== | ||