At 5:29 PM -0800 1/13/09, Julien R Pierre - Sun Microsystems wrote: >Just because root CAs have stopped using MD5 doesn't mean every intermediate >CA in the world has stopped yet. It would be a fairly arduous task to >determine that. If a sub CA hasn't stopped using MD5 yet, they may be subject >to the attack still today.
Fully agree. >And as the research paper shows, the attack allows creating rogue certs that >can be backdated, so that there is no way to detect them at a future time. Assume that we cannot detect rogue certs. >IMO, we don't have complete confidence that every CA and sub CA has closed the >MD5 hole yet, Then we are failing at our job of policing our trust anchor repository. This is a much larger issue than whether a CA that we would want to remove anyway can be compromised by this attack. We have rules for who is allowed in the repository. We can change those rules to say "must not sign with algorithms that use MD5". If someone breaks the rule, we remove them, and the threat is gone, without affecting the people who are safely using certs that were issued with MD5 when it was safe to do so. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
