Is there anything that could be added to RP software to reliably
detect and thwart the use of a rogue CA certificate? Or would
any attempt to do that just cause too many problems?
Since MD5 is known bad and potentially dangerous at this point, I would
suggest that the best client side action would be to fail to verify any
signatures created using MD5. This will break some things, especially if
existing business processes are relying on a certificate signed with MD5.
However, it is a fail-safe and would prevent a rogue CA certificate created
in this fashion from being considered trustworthy.
And to Santosh's point (and others), my earlier email about
removing/replacing trust anchors was not because the self-signed
certificates are signed using MD5; I agree the trust anchor public keys are
protected using other mechanisms. I am recommending that if CAs do nothing
to prevent this kind of attack (non-random serial numbers, issue
certificates signed with MD5, issue certificates in an automated,
predictable fashion) that those CAs should be removed from trust lists
because they are no longer acting in the interest of the relying party--they
are an accomplice to the creation of these rogue certificates.
--Peter
----------------------------------------------------------------
Peter Hesse pmhesse(_at_)geminisecurity(_dot_)com
http://securitymusings.com http://geminisecurity.com