Mike <mike-list(_at_)pobox(_dot_)com> writes:
We are simply not vigilant enough. This issue has been on our plate
since 2004.
SHA-1 is next and neither the client side vendors nor the big
Enterprises have pushed to move to SHA-256.
There is a simple fix -- a CA can just reorder the extensions prior to
issuing a certificate.
That's actually a nice fix, but unfortunately not universally applicable: for
some types of signed data (e.g. S/MIME attributes) the DER rules require
sorting the encoded extensions, so there's only one valid order for them (and
some applications actually check for this, so you have to do it or sig checks
will start failing).
Peter.