On 8-Jan-09, at 3:45 PM, Paul Hoffman wrote:
At 6:51 PM +0100 1/8/09, Jan Schejbal wrote:
As the MD5 algorithm is obviously not secure anymore,
This statement is not based on reality, so the rest of the message
does not follow. MD5 is not secure for applications that blindly
sign inputs from non-trusted parties that can predict the content of
the part of the message before the submitted text. This is an attack
on the collision-resistance of the function. There have been no
published practical attacks on the primage-resistance of MD5.
No, but it's an algorithm against which attacks are already good
enough that we have to rely on peripheral CA practices like serial
number selection in order to be able to trust signatures. You're
right, of course, that SHA-1 is heading that way as well, and the
decisions we make here will likely shape policy for SHA-1's eventual
decommissioning as well.
A key difference with MD5 is that its retirement is plausible, since
CAs have largely moved away from, or are presently moving away from
issuing certs with these signatures, so that retirement without
breaking the internet is a possibility.
Obviously we need to actually have the ability to disable MD5, ideally
any algorithm, in the future. Nelson is working on that in bug 471539
as has been mentioned. The real question for me is how we establish a
timeline.
In a recent discussion with the members of the CABForum this topic
came up and I said to them that the discussion in the mozilla
community was still active (clearly) but that I would encourage CAs
not to count on MD5 support long term, and that if I had to ballpark a
timeline, I'd put it between 6-18 months, based very largely on our
confidence that doing so doesn't damage a significant portion of the
public web.
Figuring out that confidence level is another question. I'm working
on a side project here that I'll blog about shortly, but the net of it
is that I'll have a couple hundred thousand certs from the public
internet to help us draw those conclusions. For instance, here's the
data from 3000 or so (hardly enough to draw conclusions from):
2427 Signature Algorithm: sha1WithRSAEncryption
553 Signature Algorithm: md5WithRSAEncryption
4 Signature Algorithm: sha1WithRSA
1 Signature Algorithm: sha256WithRSAEncryption
1 Signature Algorithm: dsaWithSHA1
So:
- Do the work to arm ourselves so that when we are confident pulling
the trigger, we can actually do so with minimal changes (in case it
happens in a point release, for instance)
- Establish our feelings around how much of the net we are
comfortable invalidating if we kill an algorithm
- Establish a timeline we think is compatible with that
Please feel free to use "6-18 months" and "We should break less than
5% of SSL certs" as beating horses, if it helps.
Cheers,
Johnathan
---
Johnathan Nightingale
Human Shield
john...@mozilla.com
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
