--On Sunday, January 04, 2009 10:23:58 PM +0200 Yoav Nir
<ynir(_at_)checkpoint(_dot_)com> wrote:
On Jan 4, 2009, at 9:11 PM, Paul Hoffman wrote:
At 9:02 AM +0200 1/4/09, Yoav Nir wrote:
Best we can do is to get the CAs to
(1) not issue MD5 certs anymore and
(2) randomize the serial number and/or
(3) and a random fluff extension that people are talking about
Just to repeat it one more time: #3 does not prevent the published
attack.
It does if the random fluff is inserted by the CA. The attack depends on
their ability to predict the entire TBS part.
No, it does not. It depends on their ability to predict that portion of
the TBS part which occurs prior to the computed collision blocks, which in
the real certificate occur in the subject public key modulus. The portion
of the TBS part which occurs after the collision blocks does not need to be
predictable; they just need to be able to copy it as-is, which is done by
copying the collision blocks, the rest of the original subject public key
modulus, and all of the original certificate's extensions into a netscape
comment extension in the forged certificate.
And if Microsoft don't, nobody else will. The Firefox/Opera/Safari/
Chrome people don't want any sites that "only work with Explorer".
At least with respect to Firefox, I think that statement is false.
They've done quite a bit to render broken sites that were made for IE.
Also, I've updated today and all the "bad" CAs with MD5 signatures are
still in the TAS.
Again, there is nothing "bad" about CA certifiates with MD5 signatures.
The signature on a root certificate is not used for anything, and in
practice is not an accurate predictor of what algorithms that CA uses to
sign certificates.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+(_at_)cmu(_dot_)edu>
Carnegie Mellon University - Pittsburgh, PA