RE: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CAcertificate
2008-12-31 10:49:47Colleagues - It has been confirmed that no EV issuer is signing certificates with MD5. Also, EV certificates cannot be issued by an automated process, putting another obstacle in the path of an attacker. All the best. Tim. Tim Moses +1 613 270 3183 -----Original Message----- From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org [mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Timothy J. Miller Sent: Wednesday, December 31, 2008 10:18 AM To: Santosh Chokhani Cc: ietf-pkix(_at_)imc(_dot_)org; ietf-smime(_at_)imc(_dot_)org; cfrg(_at_)irtf(_dot_)org; saag(_at_)ietf(_dot_)org Subject: Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CAcertificate Santosh Chokhani wrote:
One would think we want to start using SHA-1 or even SHA256 (assuming client vendors implement SHA256 ASAP) and ask the CAs emanating from commercial roots to perform responsible I&A before issuing certificates.
Speaking of I&A, I found it interesting to note that the CA/Browser forum guidelines for EV certs allows (but recommends against) MD5 until 2010. The spot check of EV issuers I did yesterday didn't turn up anyone actually using MD5, but I didn't have all of 'em available. -- Tim
smime.p7s
Description: S/MIME cryptographic signature
| Previous by Date: | RE: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CAcertificate, Santosh Chokhani |
|---|---|
| Next by Date: | Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CAcertificate, Mike |
| Previous by Thread: | Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CAcertificate, Timothy J. Miller |
| Next by Thread: | Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CA certificate, Eric Rescorla |
| Indexes: | [Date] [Thread] [Top] [All Lists] |