Nelson B Bolyard wrote:
A representative of Verisign has posted a response to this issue at https://blogs.verisign.com/ssl-blog/2008/12/on_md5_vulnerabilities_and_mit.php
The VeriSign post is not 100% clear on exactly how "VeriSign has removed this vulnerability" (to quote the blog post). Is it simply that VeriSign has now discontinued using MD5 when issuing RapidSSL certificates and other end-entity certificates under the various VeriSign/thawte/GeoTrust brands? Material elsewhere in the post seems to imply that this was the only corrective action taken (or that needed to be taken), but I don't recall it being made explicit in the post.
Frank -- Frank Hecker hec...@mozillafoundation.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
