On Jan 2, 2009, at 5:35 PM, Robert Moskowitz wrote:
Since MD5 is known bad and potentially dangerous at this point, I
would
suggest that the best client side action would be to fail to verify
any
signatures created using MD5. This will break some things,
especially if
existing business processes are relying on a certificate signed
with MD5.
However, it is a fail-safe and would prevent a rogue CA certificate
created
in this fashion from being considered trustworthy.
And to Santosh's point (and others), my earlier email about
removing/replacing trust anchors was not because the self-signed
certificates are signed using MD5; I agree the trust anchor public
keys are
protected using other mechanisms. I am recommending that if CAs do
nothing
to prevent this kind of attack (non-random serial numbers, issue
certificates signed with MD5, issue certificates in an automated,
predictable fashion) that those CAs should be removed from trust
lists
because they are no longer acting in the interest of the relying
party--they
are an accomplice to the creation of these rogue certificates.
Peter,
This sounds great at an IETF mike, but out in the field how do you
get all those millions of browsers to pull down a new trust list
that will no longer include CA foobar?
Can't happen now, and the way things are going, ain't going to
happen before 2026 either.
There's this one company such that if they use Windows update to
update their browsers, the others will follow. Technically, it's very
easy to get rid of the bad CAs. However, that company is not going to
modify their browsers, not now, probably not in the next few years.
So what tool do we have to get compliance to best practices? The
good old 5th estate, get out their and give bad press to foobar
until they fix their behaviour or their business model collapses and
they go out of business and can no longer issue potentially rogue
certs.
I don't think you can get a message like that across. This story
evokes more of the "Wow! Clever hackers with 200 playstations"
sentiment, not the "criminal negligence" sentiment. You can't get the
media angry with a company unless the negligence causes something
spectacular, like an exploding Ford Pinto. Even Jesse Walker's "unsafe
at any keylength" article didn't have quite the impact of the
original. And people still use WEP.
We can talk and posture all we want in the IETF. We are rather good
at that, IMNSHO. But this is perfect proof of our impact as such on
the business model of companies that use our technology; they will
do what is expedient, not what is Best Practices.
Best we can do is to get the CAs to
(1) not issue MD5 certs anymore and
(2) randomize the serial number and/or
(3) and a random fluff extension that people are talking about
But still, I don't see Microsoft removing a root CA because one of
their sub-CAs is issuing non-compliant certificates.
And if Microsoft don't, nobody else will. The Firefox/Opera/Safari/
Chrome people don't want any sites that "only work with Explorer".
Email secured by Check Point