nhorman
commented
3 months ago @beldmit can you ennumerate the check you are concerned about here please?
Open beldmit opened 2 years ago
nhorman
commented
3 months ago @beldmit can you ennumerate the check you are concerned about here please?
beldmit
commented
3 months ago Purpose of Ballot
Weaknesses regarding the use of the SHA-1 hash algorithm for signatures have been known for several years. While there is currently a prohibition on the use of CA Private Keys to directly sign OCSP responses using SHA-1, Private Keys corresponding to OCSP delegated responders may still be used to sign OCSP responses using SHA-1. This ballot establishes a sunset date to prohibit delegated OCSP signing with the SHA-1 hash algorithm.So distrust of signatures having SHA1 (probably, taking SECLEVEL into account)?
nhorman
commented
3 months ago thank you, I'll add this to our future minor release consideration list
https://cabforum.org/2022/01/26/ballot-sc53-sunset-for-sha-1-ocsp-signing/ is approved
We need to consider our security level checks in OCSP validation.