New issue
Advanced search Search tips

Issue 766682 link

Starred by 2 users
Status: Archived
Owner: ----
Closed: Oct 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug



Sign in to add a comment

Security: Google SSL root CA GeoTrust Global CA is using SHA1 signature

Reported by reejithk...@gmail.com, Sep 19 2017 

Hi,

Could you please let me know why google is using SHA1 signature algorithm for its root CA, which is GeoTrust Global CA ? All the logic that you apply for issuing CA is applicable to root CA as well even though the root is not issuing any certificates, but it can sign sub ordinate CAs. Microsoft is considering this as a security issue. When you declare SHA1 signed certificates as invalid , then why is not applicable to your root CA ?

Regards

Reejith Kumar K

Comment 1 by elawrence@chromium.org, Sep 19 2017

Components: Internals>Network>Certificate
Labels: Needs-Feedback
The signature algorithm used on the root CA is largely irrelevant, as the root certificate is trusted by virtue of the fact that the certificate itself is placed directly in the OS' trust store. That's why you'll see certificates with MD5 (and weaker) still included in OS trust stores.

https://security.stackexchange.com/a/120302/7869

The signature algorithm of intermediate and end-entity certificates, in contrast, is important.

When you say "Microsoft is considering this as a security issue", can you please elaborate on what you mean? Microsoft platforms still include and support root certificates with MD5 and SHA1 hash algorithms.

Comment 2 by elawrence@chromium.org, Sep 19 2017 

https://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html
"Note: SHA-1-based signatures for trusted root certificates are not a problem because TLS clients trust them by their identity, rather than by the signature of their hash."

Comment 3 by elawrence@chromium.org, Sep 19 2017

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug

Comment 4 by rch@chromium.org, Sep 25 2017 

reejithkumar@gmail.com: can you answer the question in comment #1?

Comment 5 by wangyix@chromium.org, Oct 11 2017

Status: Archived (was: Unconfirmed)
Archiving bug due to lack of response from the bug creator. reejithkumar@, please create a new bug if your question still remains.

Sign in to add a comment