>The main difference is that my solution would force all MD5 certs out of >circulation by the given date, no matter their expiration date,
...for no valid security reason... > while yours would allow MD5 certs with long validity periods to stay in use. ...because there is no security problem with doing so. >The question is closely related to whether we are reasonably sure that noone >except the recent researchers managed to get a collision-signed cert or not. >If we are willing to take that small risk (which is probably smaller than the >unavoidable other risks like CA mistakes), and we don't care about CAs that >are not trusted in the default settings, and we assume that preimage attacks >on MD5 will not occur in the next years, then it is better just to disallow >issuing new certs as you suggested and not invalidating old ones. If you want to mistrust the cryptographer community so deeply, I'm not sure why you are even here. To date, not a single cryptographer of any stature has shown even a tiny bit of pre-image weakness in MD5 except for absurd scenarios (two messages that are millions of petabytes large). If you think you are smarter than they are, that's fine; I would prefer that Mozilla uses scientific research to make their decisions. >No matter what way will be chosen, the sooner it happens, the sooner we will >get rid of this security risk. Please state your security risk, and in particular, say why the proposal I made (force CAs to agree not to issue new MD5 certs, and to not allow any sub-CAs signed with MD5) does not cover your desire. >I think a "partial preimage attack" where you generate a "mostly" colliding >cert and where it is possible to compensate for random serial numbers after >the signature might be easier than a full preimage attack on normal certs. If you can show that, I'm sure that the crypto community would *love* to see the paper. It would be a major advance from where we are today, even with literally thousands of researchers working on the same or closely-related problems. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
