I agree with Paul.
Unless the Length of TBD certificate as part of DER is made
unpredictable, any values on extensions just go in the tumor.
[mailto:cfrg-bounces(_at_)irtf(_dot_)org] On Behalf Of
Sent: Sunday, January 04, 2009 3:40 PM
To: Yoav Nir
Cc: ietf-pkix(_at_)imc(_dot_)org; ietf-smime(_at_)imc(_dot_)org;
Subject: Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue
At 10:23 PM +0200 1/4/09, Yoav Nir wrote:
On Jan 4, 2009, at 9:11 PM, Paul Hoffman wrote:
At 9:02 AM +0200 1/4/09, Yoav Nir wrote:
Best we can do is to get the CAs to
(1) not issue MD5 certs anymore and
(2) randomize the serial number and/or
(3) and a random fluff extension that people are talking about
Just to repeat it one more time: #3 does not prevent the published
It does if the random fluff is inserted by the CA. The attack depends
on their ability to predict the entire TBS part.
I may have misunderstood the paper, but I think that changes after the
subjectPublicKeyInfo do not affect the attack.
But still, I don't see Microsoft removing a root CA because one of
their sub-CAs is issuing non-compliant certificates.
It is hard to see Microsoft removing or adding CAs. If anyone knows of
a public interface (mailing list, web site, whatever) for when this
happens, by all means please the world know.
I managed to find a page with their policy on adding new root CAs.
Nothing there about removing old root CAs.
I'm not talking about the policy: I'm talking about the actual trust
And if Microsoft don't, nobody else will. The
Firefox/Opera/Safari/Chrome people don't want any sites that "only work
At least with respect to Firefox, I think that statement is false.
They've done quite a bit to render broken sites that were made for IE.
That is irrelevant for this thread. There are active discussions in the
Firefox community about adding and removing trust anchors that are and
are not already in the IE trust anchor pile.
Also, I've updated today and all the "bad" CAs with MD5 signatures are
still in the TAS.
As was pointed out to me earlier: it does not matter if the CA has its
cert signed with MD5, only whether that CA *signs* with MD5. RapidSSL,
for example, is still signed with MD5 but is now signing with SHA-1.
--Paul Hoffman, Director
Cfrg mailing list