SHA1 collisions proven possisble

Jimmy Hess mysidia at
Sat Feb 25 22:44:13 UTC 2017

On Thu, Feb 23, 2017 at 2:03 PM, Patrick W. Gilmore <patrick at> wrote:

> For instance, someone cannot take Verisign’s root cert and create a cert which collides
> on SHA-1. Or at least we do not think they can. We’ll know in 90 days when
> Google releases the code.

Maybe.   If you assume that no SHA attack was known to anybody at the
time the Verisign
cert was originally created,  And that the process used to originally
create Verisign's root cert
was not tainted  to leverage such attack.

If it was tainted,  then  maybe there's another version of the
certificate that was constructed
with a different Subject name and Subject public key,  but the same
SHA1 hash, and same Issuer Name and same Issuer Public Key.

> --

More information about the NANOG mailing list