Gervase,
Gervase Markham wrote:
Ben Bucksch wrote:
I propose to announce that we'll stop supporting MD5 in 3 months, and
ask website owners to get new certs.
On the basis of any known risk?
The current attack requires the attacker to be able to get a cert signed
for a key they control. If all CAs stop using MD5 (which they should
have following this disclosure) then the attack mechanism is closed off.
I agree MD5 is unsafe and needs to be phased out, but given that there
is no current threat, we need to balance speed and inconvenience (both
to sites, and to users when they sites they want to visit stop working).
Just because root CAs have stopped using MD5 doesn't mean every
intermediate CA in the world has stopped yet. It would be a fairly
arduous task to determine that. If a sub CA hasn't stopped using MD5
yet, they may be subject to the attack still today. And as the research
paper shows, the attack allows creating rogue certs that can be
backdated, so that there is no way to detect them at a future time.
IMO, we don't have complete confidence that every CA and sub CA has
closed the MD5 hole yet, and we can't be certain how long it will take
after the full details of the attack are disclosed for it to be replicated.
As a precaution, I think it makes sense to have a configuration option
for turning off all MD5 support today, and it also makes sense to be
prudent and set a date to unconditionally stop supporting MD5 at all. 3
months may be a short time, but the full details will be published very
soon, and the authors estimate that it would take about a month to
replicate their attack.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
