[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Sha2 SSL Certificate



ons 2014-06-18 klockan 21:58 -0700 skrev jungleboogie0:
> On 18 June 2014 21:35, Colin Percival <cperciva@tarsnap.com> wrote:
> > On 06/18/14 20:12, jungleboogie0 wrote:
> >> I was wondering if you will be upgrading to a SHA2 SSL/TLS cert in
> >> August when your existing SSL/TLS expires.
> >
> > No.  Not sure I see any point really...
> 
> Well would anything detrimental be introduced that could possibly
> break it? Probably not.
> 
> >
> >> You could even go with ECDSA for extra nerd points!
> >
> > You mean, if I wanted less compatibility?
> 
> Security is always a trade off...

Really? How would sha2/ecdsa signed certs in this individual case
improve security in any meaningful manner? I mean, no matter how the
(www.)tarsnap.com cert is signed it would be just as effective to go
after a sha1 signed intermediate CA certificate.

Given the way the https:// and CAs are used in regular web browsers
today you only really get a meaningful change when you collectively move
of the lowest common denominator, such as the current/recent move of md5
signed certs.

There is a of course a huge benefit in trying to move of the current
flat CA trust model, but that is another matter.

// Andreas

Attachment: signature.asc
Description: This is a digitally signed message part