These things need to be thought through.
If all the CAs did this, it might work. But, what if the client side
was looking for junk in the certificate as evidence of collision?
Also, client will not enforce this.
So, if you are relying on CAs, why not ask them to switch to SHA-1 as
opposed to adding more software to the CA. SHA-1 is purely a
configuration item for the CA deployments.
I just find that all three mail lists are getting work out and real
message and analysis is getting lost.
For example, folks are still posting misinformation that self-signed
roots have a hash problem. Signatures on self-signed roots are
gratuitous from security viewpoint. So, we do not want to cry wolf and
undertaken replacing roots which will be a humongous waste to time and
money. Signatures and hence hash used to sign these do not matter.
From: Timothy J. Miller [mailto:tmiller(_at_)mitre(_dot_)org]
Sent: Wednesday, December 31, 2008 1:35 PM
To: Santosh Chokhani
Cc: Dr Stephen Henson; ietf-pkix(_at_)imc(_dot_)org;
Subject: Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue
Santosh Chokhani wrote:
I am a bit concerned about random goo when random goo is one of the
things the attacker uses to cause collision. This may limit human or
machine's ability to discern mischief.
I don't see how, if the random goo is added by the CA. It defeats
chosen prefix attacks as a class.