At 6:48 PM +0000 12/31/08, Frank Hecker wrote: >Nelson B Bolyard wrote: >>A representative of Verisign has posted a response to this issue at >>https://blogs.verisign.com/ssl-blog/2008/12/on_md5_vulnerabilities_and_mit.php > >The VeriSign post is not 100% clear on exactly how "VeriSign has removed this >vulnerability" (to quote the blog post). Is it simply that VeriSign has now >discontinued using MD5 when issuing RapidSSL certificates and other end-entity >certificates under the various VeriSign/thawte/GeoTrust brands? Material >elsewhere in the post seems to imply that this was the only corrective action >taken (or that needed to be taken), but I don't recall it being made explicit >in the post.
I read that blog posting to mean that they were going to keep issuing certs using MD5 signatures, but would use unpredictable sequence numbers like other VeriSign CAs do. Someone can validate that by buying a new cert from them. :-) _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
