You calculate a SHA-1 chosen prefix and you choose to attack the PGP Web-of-Trust!? Come on, forge an OCSP response from a publicly-trusted CA instead! https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg02999.html … https://sha-mbles.github.io/
-
Prikaži ovu nit
-
I haven't scanned OCSP responders in a while, but I'm sure there are still CAs signing OCSP responses with SHA-1, because it was never forbidden, and CAs will keep doing something dangerous as long as it's not forbidden.
1 reply 0 proslijeđenih tweetova 11 korisnika označava da im se sviđaPrikaži ovu nit -
Hopefully the SHA-1 OCSP responses are all signed from a sub-CA technically constrained to OCSP (as required by Mozilla policy) so it can't be used to forge an actual certificate.
1 reply 0 proslijeđenih tweetova 4 korisnika označavaju da im se sviđaPrikaži ovu nit -
Odgovor korisniku/ci @__agwa
Hi Andrew, I understood that the Ocsp answer must be issued from the same sub-ca that issues the final certificate... Is your sentence 100% correct? Thanks!
1 reply 0 proslijeđenih tweetova 0 korisnika označava da im se sviđa
Yes, I'm correct. See Section 2.6 of RFC6960.
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.