Daniel Veditz wrote, On 2008-12-30 17:37: > Paul Hoffman wrote: >> At 1:16 PM -0800 12/30/08, Nelson B Bolyard wrote: >>> I should have written: digital signatures on certificates. The patch >>> that I wrote only affects signatures on digital certificates. >> >> Good. I am quite concerned if we start affecting signatures in things >> like Thunderbird. > > Why is that any different? The fake CA these guys produced could be used > to issue forged S/MIME certs too. Or authenticode certs. This problem is > NOT limited to SSL. > > Or am I completely misunderstanding you?
Dan, I believe Paul was suggesting that he did not want to see signatures on email messages themselves be invalidated just because they use MD5. The email messages themselves have different vulnerability characteristics than the signatures on the certificates, because the latter may be much more predictable. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
