[Top] [All Lists]

Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CAcertificate

2009-01-01 13:04:02

At Thu, 01 Jan 2009 07:51:38 -0800,
Mike wrote:

Is there anything that could be added to RP software to reliably
detect and thwart the use of a rogue CA certificate?  Or would
any attempt to do that just cause too many problems?

Mike (who is writing "I am not a security expert" 100 times on
       the chalkboard)

You could certainly add a check for this particular certificate
and any others you discovered. To the extent to which CAs no 
longer use MD5, this would likely quickly clean up the damage.
It's less clear that you could safely detect this kind of
cert in a generic way.