Thanks Ben. Perhaps it's time to have another go at canvassing support for the idea. In 2006, the PKIX WG didn't seem interested in tackling the problem I was trying to solve.
Paul, do you think it's worth re-raising this idea with the PKIX WG ? On Tuesday 13 January 2009 09:39:06 Ben Bucksch wrote: > On 13.01.2009 09:48, Rob Stradling wrote: > > I made a similar suggestion to ietf.pkix in October 2006. See... > > http://www.imc.org/ietf-pkix/mail-archive/msg01964.html > > ...and the rest of that thread, including... > > http://www.imc.org/ietf-pkix/mail-archive/msg01984.html > > > > ... > > > > Ben, I agree that having multiple signatures in a certificate could be > > useful. If, for example, the certificates in the wild today contained > > both MD5/RSA and SHA-1/RSA signatures, Mozilla would be able to disable > > MD5 support *today* without "breaking the internet", as long as the > > majority of relying party software could process the additional > > signatures. > > If the industry chose to introduce such a thing now, it could help us all > > in the future when we need to move from SHA-1 to SHA-2, or from > > SHA-1/SHA-2 to SHA-3, etc. > > Rob, > > I think that's an excellent suggestion. Not only because it allows more > advanced trust management, but also, as you point out, because it eases > the transition away from SHA-1 significantly, which I think will be very > important and may shorten the transition by years. > > I think your proposal is nice, as it would allow to use the existing > extension mechanism, which means that it doesn't break current browsers. > > Also, given that software will have to be changed anyways to support > SHA-2 or whatever, and we'll eventually use only that, I think there's - > in addition to the backwards-compatible way you propose - a chance to > introduce a new format which supports several signatures in a > straightforward way, and also other improvements which were hindered by > backwards-compatibility. > > Greetings, and thanks a lot! > > Ben > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- Rob Stradling Senior Research & Development Scientist Comodo - Creating Trust Online Office Tel: +44.(0)1274.730505 Fax Europe: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
