Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CA certificate

ietf-smime

[Top] [All Lists]

<prev [Date] next>

<prev [Thread] next>

Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CA certificate

2008-12-30 17:17:12

from [Timothy J. Miller]

[Permanent Link]

Eric Rescorla wrote:

At Tue, 30 Dec 2008 12:53:06 -0800,
Paul Hoffman wrote:

Your recollection may be off. I believe I was the person who brought
up the serial number hack at the mic, and I'm pretty sure I said
"some", not "many" (and certainly not "most"!). When I looked at a
handful of popular CAs earlier this week, I only found a few who are
using randomization in their serial numbers.

I don't know whether many or most do it. IMO everyone should.

Randomizing serial numbers has implications for OCSP operations,particularly those that use presigned responses in order to optimizeperformance.

Why presign? Because for a large network with varying levels ofsupport, it may be easier to move around sets of pre-produced responsesto distributed keyless OCSP responders than to guarantee connectivity toa keyed OCSP service.

Why presign batches rather than individual responses? Because for alarge PKI the response pre-production time can exceed the CRL updatefrequency.


-- Tim

smime.p7s
Description: S/MIME Cryptographic Signature

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [saag] Further MD5 breaks: Creating a rogue CA certificate, (continued) Message not available Re: [saag] Further MD5 breaks: Creating a rogue CA certificate, Jeffrey Hutzelman RE: [saag] Further MD5 breaks: Creating a rogue CA certificate, Peter Gutmann RE: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CAcertificate, Santosh Chokhani Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CA certificate, Eric Rescorla Re: [saag] Further MD5 breaks: Creating a rogue CA certificate, Yoav Nir RE: [saag] Further MD5 breaks: Creating a rogue CA certificate, Santosh Chokhani Message not available Re: [saag] Further MD5 breaks: Creating a rogue CA certificate, Russ Housley Message not available Re: [saag] Further MD5 breaks: Creating a rogue CA certificate, Scott Rea RE: [saag] Further MD5 breaks: Creating a rogue CA certificate, Santosh Chokhani Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CA certificate, Eric Rescorla Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CA certificate, Timothy J. Miller <= Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CA certificate, Eric Rescorla Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CA certificate, Eric Rescorla Re: Further MD5 breaks: Creating a rogue CA certificate, Russ Housley Re: Further MD5 breaks: Creating a rogue CA certificate, Timothy J. Miller RE: Further MD5 breaks: Creating a rogue CA certificate, Santosh Chokhani Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CA certificate, Blake Ramsdell Re: Further MD5 breaks: Creating a rogue CA certificate, Hugo Krawczyk Re: Further MD5 breaks: Creating a rogue CA certificate, Russ Housley Message not available Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CA certificate, Jeffrey Hutzelman Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CA certificate, Nicolas Williams

Previous by Date:	Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CA certificate, Jeffrey Hutzelman
Next by Date:	Re: [saag] Further MD5 breaks: Creating a rogue CA certificate, Russ Housley
Previous by Thread:	Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CA certificate, Eric Rescorla
Next by Thread:	Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CA certificate, Eric Rescorla
Indexes:	[Date] [Thread] [Top] [All Lists]