--On Tuesday, December 30, 2008 06:28:07 PM -0500 Santosh Chokhani
Since the attack is computing pre-image, I suspect that past MD5
certificates are safe until the attack was devised.
The attack does _not_ involve computing a preimage; it involves computing a
colliding pair one of which has a prefix which is predictable but not
controllable, followed by a controllable component consisting of some
minimum number of bits followed by at least three aligned message blocks.
What makes existing certificates safe is that there are no known preimage
attacks against MD5, couple with limitations of the technique used to
construct the colliding pair.
However, there is a limit to how "safe" existing certificates are, because
the attack does not require anything that was not known 3-4 years ago. The
only change is that with the latest techniques for computing collisions, it
is possible to do so in a short enough time to be able to predict the
validity and serial number that will be used by the issuer with fairly high