[Top] [All Lists]

RE: [saag] Further MD5 breaks: Creating a rogue CA certificate

2008-12-30 16:49:18

Ceasing the issuance of certificates with MD5 used in the signature doesn't
solve the problem of the certificates that have already been issued and are
still out there, any number of which may be rogue.

Replacing, or marking as untrusted all root certificates which have any
current valid (i.e. non-expired, non-revoked) certificates with MD5 used in
the signature could have tremendous undesirable impact and be an untenable

The right tool for the job is a client-side solution to fail validation of
any signature which uses MD5, especially certificate signatures.  I will not
hold my breath for such a solution.


 Peter Hesse                       pmhesse(_at_)geminisecurity(_dot_)com

-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org 
On Behalf Of RL 'Bob' Morgan
Sent: Tuesday, December 30, 2008 4:18 PM
To: Paul Hoffman
Cc: ietf-pkix(_at_)imc(_dot_)org; ietf-smime(_at_)imc(_dot_)org; 
saag(_at_)ietf(_dot_)org; cfrg(_at_)irtf(_dot_)org
Subject: Re: [saag] Further MD5 breaks: Creating a rogue CA certificate

Regardless of that, the authors of the MD5 paper are correct: trust 
anchors signed with MD5 are highly questionable as of today (well, 
actually, since they published their last paper). Hopefully, the 
maintainers of the popular trust anchor repositories (Microsoft, 
Mozilla, etc.) will yank out the trust anchors signed with MD5 (and 
MD2!) as soon as possible.

This is a different claim than "CAs should stop issuing certs with MD5 
signatures", which is what I as an amateur take away from a quick scan of 
the material.  Obviously MD5 is suspect in various ways, but does this new 
work lead to the conclusion that MD5-signed roots are untrustworthy today?
Replacing a root is a much bigger deal then changing signing practices.

  - RL "Bob"