Len Sassaman <Len(_dot_)Sassaman(_at_)esat(_dot_)kuleuven(_dot_)be> writes:
On Thu, 10 Jun 2010, Simon Josefsson wrote:
2) MD2 is still used. In GnuTLS I recall _adding_ support for MD2 as
recently as (according to NEWS logs) in 2005. If I recall correctly,
some Verisign root certificates are MD2. Note that in GnuTLS,
verifying a certificate involving a MD2 digital signature will fail
because MD2 is insecure, but the algorithm is still implemented and
Verisign had a root cert that was self-signed by MD2. When Dan
Kaminsky and I found that, Dan talked to Versign, and they reissued
the cert signed with SHA-1. The original cert is still valid in older
browsers, but there should no longer be any MD2 certs in use in the
public CA system. (Who knows about private enterprise deployments,
I support deprecating MD2. We are one incremental improvement in MD2
attack speed away from a massive break.
A self-signed trust root with MD2 is not a security problem by itself:
it is not the digital signature that is trusted, it is the public key in
the certificate. The MD2 roots are still shipped and trusted in several
modern packages (e.g., Ubuntu 10.04 LTS ca-certificates).
I support deprecating MD2 for any purpose that requires a collision
resistant function. The current proposal goes further and deprecates
MD2 for any use. I don't see much argumentation for deprecating it for
non-collision resistant use-cases.
smime mailing list