MD5 is not secure for applications that blindly sign inputs from
non-trusted parties that can predict the content of the part of the
message before the submitted text. This is an attack on the
collision-resistance of the function.
I assume that for a cryptographic hash function to be called "secure",
it has to be BOTH preimage and collision-resistant (respectively secure
for all the usual uses). Obviously, the collision resistance
(respectively security in certain usual uses) is not given, so I call
it not secure.
MD5 signature support should be removed
as soon as reasonably possible.
...and it goes down hill from there...
Sorry, I maybe did not make clear that it should be dropped for
verifying certificate signatures as valid only. As was proven, the
attack on MD5 in that case is a very realistic one. I hope you did read
my explaination what I call "reasonably possible", which is more than a
year to allow a soft switch. I was NOT calling to remove it
immediately. If I missed something, please tell me what so I can learn
from my mistakes.
Jan
--
Please avoid sending mails, use the group instead.
If you really need to send me an e-mail, mention "FROM NG"
in the subject line, otherwise my spam filter will delete your mail.
Sorry for the inconvenience, thank the spammers...
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
