25 Feb
2017
25 Feb
'17
5:44 p.m.
On Thu, Feb 23, 2017 at 2:03 PM, Patrick W. Gilmore <patrick@ianai.net> wrote:
For instance, someone cannot take Verisign’s root cert and create a cert which collides on SHA-1. Or at least we do not think they can. We’ll know in 90 days when Google releases the code.
Maybe. If you assume that no SHA attack was known to anybody at the time the Verisign cert was originally created, And that the process used to originally create Verisign's root cert was not tainted to leverage such attack. If it was tainted, then maybe there's another version of the certificate that was constructed with a different Subject name and Subject public key, but the same SHA1 hash, and same Issuer Name and same Issuer Public Key.
-- TTFN, -- -JH