[Top] [All Lists]

Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CA certificate

2008-12-30 18:23:52

--On Tuesday, December 30, 2008 04:36:12 PM -0600 Nicolas Williams <Nicolas(_dot_)Williams(_at_)sun(_dot_)com> wrote:

Applying a principle of redundancy in RTI algorithms to symmetric key
protocols is fairly simple.  Applying such a principle to PKI seems
rather more difficult -- it's not just hash algorithms, but pk
algorithms too.  Your example was to require not just the implementation
of multiple hash (but not pk) algorithms, but to require the *use* of
those.  That makes sense to me, but it's not quite the same principle
being applied to PKI as to SSH.

Correct. I'm suggesting that in the case of PKI, merely having two RTI algorithms wouldn't be sufficient; at least for long-term certificates you need to actually sign using two algorithms in order to get the interoperability benefit. Validating using both isn't necessary, though it does have a benefit, in that no code or configuration changes are required to continue to be safe as long as at least one is good enough.

IMHO, one of the biggest problems in the current PKI standards is that there is no ability to future-proof certificates by generating signatures with multiple algorithms. The result is that you can't start signing with a new algorithm until everyone understands it, and you can't stop accepting an old algorithm without either reissuing lots of certificates with a new one or waiting for them to expire. This means movement is very slow and we are unable to abandon a broken algorithm in a hurry. The former is poor; the latter is a disaster waiting to happen.

-- Jeff