On Thu, 10 Jun 2010, Simon Josefsson wrote:
I don't see how that gains you anything: you still need to make clients
place trust in the new CA, and if the attacker has that ability, all
bets are off.
The clients trust the new CA because it is an intermediate CA chained to
the original, MD2-signed top-level CA. The intermediate cert is then
treated with the same validity as *any* intermediate cert generated by
that top-level cert -- since the top-level cert's signature verifies
correctly on the intermediate cert, of course.
Do you understand the attack now?
This isn't *quite* such an issue, since after we brought it to the
attention of CERT and the browser vendors, they either eliminated MD2
support entirely, or restricted it so that if an intermediate CA cert
signed with MD2 would be rejected. (At least, I personally verifed Chrome
and FireFox. I *think* IE and Opera were patched, too -- they should be.)
So now we hope that browsers released prior to mid-2009 are retired from
use before MD2 is broken in practice. Given the longevity of browsers,
it's going to be close.
--Len.
_______________________________________________
smime mailing list
smime(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/smime