[Top] [All Lists]

Re: [saag] Further MD5 breaks: Creating a rogue CA certificate

2009-01-05 18:37:29

--On Thursday, January 01, 2009 05:01:33 AM +0100 Philipp Guehring <philipp(_at_)cacert(_dot_)org> wrote:

It should be noted, though, that yanking the trust anchors is not
enough. You really should change the relying party to not recognize
this algorithm. Otherwise, it's perfectly valid for a CA whose
certificate is signed with SHA1 to sign an intermediate CA certificate
with MD5 (although they usually don't do that, I hope)

I also thought so, but then I realized that if we invalidate MD5
completely, then we would also invalidate root certificates that are MD5
self-signed, which isn't a security issue. So that would give lots of
unnecessary false-positives.

Except that the validation process doesn't actually need to check the signature on a "root certificate", because that signature is not part of the chain.

I would like to propose the following idea:

We should define a date for expiring MD5 in certificate chains for the
Internet. I would suggest the 1. June 2009, which is 6 months from now.


If we all agreed, today, that this is the right approach, and the browser vendors all agreed with us, and they all managed to have updated versions available, by, say, next week...

It would be after June before anyone even had the new software.

If we're going to propose that browser vendors make a software change, it should not be to remove MD5 support; it should be to allow configuration of which signature algorithms are supported, just as they allow configuration of which TLS ciphersuites are supported.

It certainly should _not_ be to generate a warning every time an MD5 signature is used. All that will do is train users to click away security warnings without reading them, which they are already quite good at.

-- Jeff

<Prev in Thread] Current Thread [Next in Thread>