I agree with Simon. Security strength of hash in self-signed
certificate is irrelevant. It is an untrusted object. You might use
the world's weakest hash or not sign it at all.
That said, if you process that MD2, you may end up invoking it for other
certificates. But, as Open SSL folks posted in this thread, they do not
verify signatures on self-signed certificates, obviating the need for
[mailto:saag-bounces(_at_)ietf(_dot_)org] On Behalf
Sent: Thursday, June 10, 2010 4:20 PM
To: Len Sassaman
Cc: pkix(_at_)ietf(_dot_)org; cfrg(_at_)irtf(_dot_)org;
Subject: Re: [saag] [Fwd: I-D ACTION:draft-turner-md2-to-historic-
Len Sassaman <Len(_dot_)Sassaman(_at_)esat(_dot_)kuleuven(_dot_)be> writes:
On Thu, 10 Jun 2010, Simon Josefsson wrote:
I don't see how that gains you anything: you still need to make
place trust in the new CA, and if the attacker has that ability,
bets are off.
The clients trust the new CA because it is an intermediate CA
to the original, MD2-signed top-level CA. The intermediate cert is
then treated with the same validity as *any* intermediate cert
generated by that top-level cert -- since the top-level cert's
signature verifies correctly on the intermediate cert, of course.
Do you understand the attack now?
Yes, I do, but that attack is not caused by a MD2 root. The attack is
caused by software trusting MD2 to verify digital signatures. I
the latter has been resolved in most security libraries already (it
certainly has been resolved in GnuTLS, since January 2009, which
both MD2 and MD5 as insecure).
The former case (a MD2 root) is not a problem by itself, as far as I
tell, which is what I originally stated.
As long as MD2 roots have not been shown to be a problem, by
protocols and software will need to continue implement MD2 for
operational reasons. There are still several MD2 roots in recently
shipping operating systems. For example, my Ubuntu 10.04 LTS system
these RSA-MD2 roots:
Issuer: C=US,O=VeriSign\, Inc.,OU=Class 1 Public Primary
Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
Issuer: C=US,O=RSA Data Security\, Inc.,OU=Secure Server
Issuer: C=US,O=VeriSign\, Inc.,OU=Class 2 Public Primary
Right now, I think my preference would be to update RFC 1319 with
something like Sean's document, to alert everyone of the security
issues, but let the status of the algorithm description remain
saag mailing list
smime mailing list