[Top] [All Lists]

Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate

2009-01-04 14:25:19

At 9:02 AM +0200 1/4/09, Yoav Nir wrote:
Best we can do is to get the CAs to

(1) not issue MD5 certs anymore and
(2) randomize the serial number and/or
(3) and a random fluff extension that people are talking about

Just to repeat it one more time: #3 does not prevent the published attack.

But still, I don't see Microsoft removing a root CA because one of their 
sub-CAs is issuing non-compliant certificates.

It is hard to see Microsoft removing or adding CAs. If anyone knows of a public 
interface (mailing list, web site, whatever) for when this happens, by all 
means please the world know.

And if Microsoft don't, nobody else will. The Firefox/Opera/Safari/Chrome 
people don't want any sites that "only work with Explorer".

At least with respect to Firefox, I think that statement is false.

--Paul Hoffman, Director
--VPN Consortium

<Prev in Thread] Current Thread [Next in Thread>