You calculate a SHA-1 chosen prefix and you choose to attack the PGP Web-of-Trust!? Come on, forge an OCSP response from a publicly-trusted CA instead! https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg02999.html … https://sha-mbles.github.io/
-
-
Hopefully the SHA-1 OCSP responses are all signed from a sub-CA technically constrained to OCSP (as required by Mozilla policy) so it can't be used to forge an actual certificate.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.