At 10:23 PM +0200 1/4/09, Yoav Nir wrote:
On Jan 4, 2009, at 9:11 PM, Paul Hoffman wrote:
At 9:02 AM +0200 1/4/09, Yoav Nir wrote:
Best we can do is to get the CAs to
(1) not issue MD5 certs anymore and
(2) randomize the serial number and/or
(3) and a random fluff extension that people are talking about
Just to repeat it one more time: #3 does not prevent the published attack.
It does if the random fluff is inserted by the CA. The attack depends on their
ability to predict the entire TBS part.
I may have misunderstood the paper, but I think that changes after the
subjectPublicKeyInfo do not affect the attack.
But still, I don't see Microsoft removing a root CA because one of their
sub-CAs is issuing non-compliant certificates.
It is hard to see Microsoft removing or adding CAs. If anyone knows of a
public interface (mailing list, web site, whatever) for when this happens, by
all means please the world know.
I managed to find a page with their policy on adding new root CAs. Nothing
there about removing old root CAs.
I'm not talking about the policy: I'm talking about the actual trust anchors
themselves.
And if Microsoft don't, nobody else will. The Firefox/Opera/Safari/Chrome
people don't want any sites that "only work with Explorer".
At least with respect to Firefox, I think that statement is false.
They've done quite a bit to render broken sites that were made for IE.
That is irrelevant for this thread. There are active discussions in the Firefox
community about adding and removing trust anchors that are and are not already
in the IE trust anchor pile.
Also, I've updated today and all the "bad" CAs with MD5 signatures are still
in the TAS.
As was pointed out to me earlier: it does not matter if the CA has its cert
signed with MD5, only whether that CA *signs* with MD5. RapidSSL, for example,
is still signed with MD5 but is now signing with SHA-1.
--Paul Hoffman, Director
--VPN Consortium