Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CA certificate

ietf-smime

Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CA certificate

2008-12-30 17:33:57


On Tue, Dec 30, 2008 at 2:05 PM, Timothy J. Miller 
<tmiller(_at_)mitre(_dot_)org> wrote:

Randomizing serial numbers has implications for OCSP operations,
particularly those that use presigned responses in order to optimize
performance.


It seems that the disruption caused by modifying serial number
generation for existing CAs is pretty high. Would an easier solution
be to either a) make the validity period vary slightly (in the
documented attack, the notBefore was always a fixed interval from the
submission time, and making this vary in a period of just a few
minutes would have thwarted it, if I'm understanding correctly), or b)
the CA sticks some random junk in the subject DN (not an MPEG of a
cat, but maybe OU=sf9fj3 [some base64 PRNG data]).

Blake
-- 
Blake Ramsdell | http://www.blakeramsdell.com

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [saag] Further MD5 breaks: Creating a rogue CA certificate, (continued) Message not available Re: [saag] Further MD5 breaks: Creating a rogue CA certificate, Russ Housley Message not available Re: [saag] Further MD5 breaks: Creating a rogue CA certificate, Scott Rea RE: [saag] Further MD5 breaks: Creating a rogue CA certificate, Santosh Chokhani Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CA certificate, Eric Rescorla Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CA certificate, Timothy J. Miller Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CA certificate, Eric Rescorla Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CA certificate, Eric Rescorla Re: Further MD5 breaks: Creating a rogue CA certificate, Russ Housley Re: Further MD5 breaks: Creating a rogue CA certificate, Timothy J. Miller RE: Further MD5 breaks: Creating a rogue CA certificate, Santosh Chokhani Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CA certificate, Blake Ramsdell <= Re: Further MD5 breaks: Creating a rogue CA certificate, Hugo Krawczyk Re: Further MD5 breaks: Creating a rogue CA certificate, Russ Housley Message not available Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CA certificate, Jeffrey Hutzelman Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CA certificate, Nicolas Williams Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CA certificate, Jeffrey Hutzelman RE: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CAcertificate, Santosh Chokhani

Previous by Date:	Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CA certificate, Eric Rescorla
Next by Date:	Re: [saag] Further MD5 breaks: Creating a rogue CA certificate, Scott Rea
Previous by Thread:	RE: Further MD5 breaks: Creating a rogue CA certificate, Santosh Chokhani
Next by Thread:	Re: Further MD5 breaks: Creating a rogue CA certificate, Hugo Krawczyk
Indexes:	[Date] [Thread] [Top] [All Lists]