On Tue, Feb 28, 2017 at 01:16:23PM -0600, James DeVincentis via NANOG wrote:
The CA signing the cert actually changes the fingerprint
The what? RFC5280 does not contain the string "finger".
(and serial number, which is what is checked on revocation lists)
The CA doesn't "change" the serial number (a CSR doesn't have a place to even ask for a serial), they pick one, and while it's *supposed* to be at least partially random, given the largely appalling state of CA operations (and, even worse, the competence of the auditors who are supposed to be making sure they're doing the right thing), I'd be awfully surprised if there wasn't at least one CA in a commonly-used trust store which was issuing certificates with predictable serial numbers.
Beyond that, SHA1 signing of certificates has long been deprecated and no new public CAs will sign a CSR and cert with SHA1.
Except all the ones that the payment industry (there's a group with no stake in good security, huh?) have managed to convince browsers to allow (thankfully, they get a good counter-cryptanalysis over them first), and all the ones that have been issued "by mistake" to inconsequential organisations like, say, HMRC (which just appear in CT logs, and the vigilance of the community finds and brings to the attention of trust stores). - Matt -- <Igloo> I remember going to my first tutorial in room 404. I was most upset when I found it.