- Mozilla changes its rules for CAs in the trust anchor pile to say
that they must not issue certificates with RSA-MD5 starting on some
date (it could even be this year),
Sure, that would be a great way to start with. I think that saying "do
what you want but if you sign certs with MD5 your customers will be
very unhappy because these certs will show up as invalid after
2010-xx-yy, so we suggest not issuing any after 2009-xx-yy" would be
quite similar in effect, but would also have an effect on the CAs that
are not trusted by default in NSS. (Of course, Mozilla has no
obligation to keep those secure, but is there something speaking
against it?)
The main difference is that my solution would force all MD5 certs out
of circulation by the given date, no matter their expiration date,
while yours would allow MD5 certs with long validity periods to stay in
use. The question is closely related to whether we are reasonably sure
that noone except the recent researchers managed to get a
collision-signed cert or not. If we are willing to take that small risk
(which is probably smaller than the unavoidable other risks like CA
mistakes), and we don't care about CAs that are not trusted in the
default settings, and we assume that preimage attacks on MD5 will not
occur in the next years, then it is better just to disallow issuing new
certs as you suggested and not invalidating old ones.
However, this is just my opinion, Ian G seems to have pretty good
arguments why a purely technical decision (just dropping MD5 support
after announcement) might be better.
No matter what way will be chosen, the sooner it happens, the sooner we
will get rid of this security risk. (Mind that after the decision and
announcement it will take 1 year or more until the MD5 problem is
finally solved.) I think a "partial preimage attack" where you generate
a "mostly" colliding cert and where it is possible to compensate for
random serial numbers after the signature might be easier than a full
preimage attack on normal certs.
Putting pressure on the CAs to act soon and do so in a secure manner
(i.e. get rid of MD5 completely, more breaks are quite probable I
think) is a good idea, IMO, so I suggest that the ones who can do the
decision follow Paul's idea with a date like 3-6 months in the
future(shoudn't be that hard to change the signature algorithm) and
maybe follow up with mine to cover the remaining issues if it seems
necessary after that. I think announcing to disable MD5 support in 1.5
years would also lessen the probability that a CA thinks "lets ignore
their policy, they make an exception for us as we are too big to be
removed".
Jan
--
Please avoid sending mails, use the group instead.
If you really need to send me an e-mail, mention "FROM NG"
in the subject line, otherwise my spam filter will delete your mail.
Sorry for the inconvenience, thank the spammers...
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
