Daniel Kahn Gillmor wrote:
The X.509 community was able to respond by further deprecating MD5
because there was a parameterized method in place to switch to another
hash function. OpenPGP currently has this in place almost everywhere a
hash function is used. That's good!
As far as I can judge, X.509 PKI is still in the state of catastrophic failure
with no obvious way out.
Right now, if my browser (or yours, or anybody else's) tells me that the site I
am browsing presented a certificate issued to it by a legitimate CA, I cannot be
sure that this assertion is true. Rejecting all certificates with MD5 in their
signatures is not a solution (there are too many out there and replacing them
requires non-trivial cooperation between different parties; no-one can do it
acting alone). Not issuing any more MD5-based certificates is not a solution
(who knows how many rogue CAs are already out there?). In fact, I do not see an
easy and cheap solution out of this mess.
It is a good thought-experiment to assess the consequences of an existential
collision attack on SHA1 such as the one we have for MD5 on OpenPGP security,
considering all the places where SHA1 is wired in. I haven't checked every
corner of RFC4880, but I can see no catastrophic failure akin to what happened
to X.509 PKI.
--
Daniel
signature.asc
Description: OpenPGP digital signature