SHA1 collisions proven possisble
mysidia at gmail.com
Sat Feb 25 22:44:13 UTC 2017
On Thu, Feb 23, 2017 at 2:03 PM, Patrick W. Gilmore <patrick at ianai.net> wrote:
> For instance, someone cannot take Verisign’s root cert and create a cert which collides
> on SHA-1. Or at least we do not think they can. We’ll know in 90 days when
> Google releases the code.
Maybe. If you assume that no SHA attack was known to anybody at the
time the Verisign
cert was originally created, And that the process used to originally
create Verisign's root cert
was not tainted to leverage such attack.
If it was tainted, then maybe there's another version of the
certificate that was constructed
with a different Subject name and Subject public key, but the same
SHA1 hash, and same Issuer Name and same Issuer Public Key.
More information about the NANOG