At 11:41 PM +0100 1/8/09, Jan Schejbal wrote: >>MD5 is not secure for applications that blindly sign inputs from non-trusted >>parties that can predict the content of the part of the message before the >>submitted text. This is an attack on the collision-resistance of the function. > >I assume that for a cryptographic hash function to be called "secure", it has >to be BOTH preimage and collision-resistant (respectively secure for all the >usual uses). Obviously, the collision resistance (respectively security in >certain usual uses) is not given, so I call it not secure.
With that definition, SHA-1 is also not secure: its collision resistance has be reduced from 2^80 to 2^60ish by similar attacks as for MD5. Are you saying that we have to deactivate signature validation for certs signed with SHA-1 as well? > >>>MD5 signature support should be removed >>>as soon as reasonably possible. >> >>...and it goes down hill from there... > >Sorry, I maybe did not make clear that it should be dropped for verifying >certificate signatures as valid only. That is the same as you said above. >As was proven, the attack on MD5 in that case is a very realistic one. Correct. But the attack is not what you described in this thread. >I hope you did read my explaination what I call "reasonably possible", which >is more than a year to allow a soft switch. I was NOT calling to remove it >immediately. True, but irrelevant. You did not describe the attack you were trying to avoid by deactivating MD5 signature validation. If you had described the attack based on the new findings, you would see that deactivating MD5 signature validation does not deal with the attack and needlessly harms all owners and relying parties. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
