Paul Hoffman wrote: > At 5:29 PM -0800 1/13/09, Julien R Pierre - Sun Microsystems wrote: >> Just because root CAs have stopped using MD5 doesn't mean every >> intermediate CA in the world has stopped yet. It would be a fairly >> arduous task to determine that. If a sub CA hasn't stopped using >> MD5 yet, they may be subject to the attack still today. > > Fully agree. > >> And as the research paper shows, the attack allows creating rogue >> certs that can be backdated, so that there is no way to detect them >> at a future time. > > Assume that we cannot detect rogue certs. > >> IMO, we don't have complete confidence that every CA and sub CA has >> closed the MD5 hole yet, > > Then we are failing at our job of policing our trust anchor > repository.
Yupp, and I think that's reality. > This is a much larger issue than whether a CA that we would want to > remove anyway can be compromised by this attack. Yupp. > We have rules for who is allowed in the repository. We can change > those rules to say "must not sign with algorithms that use MD5". If > someone breaks the rule, we remove them, You have to know the sub-CA in question to remove the accompanying root CA. Mozilla cannot know all of them. Sub-CAs are often not audited at all. Sometimes not even the sub-CA's CP/CPS is reviewed by the root CA. Anyway I'd also vote for a config option for turning off MD5 (like turning off SSLv2 is possible and was made the default after a while). Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
