On 23.01.2009 12:14, Rob Stradling wrote:
For the additional signature(s) to become especially useful, the primary
signature on the certificate would need to be substantially broken (e.g. by a
pre-image attack on the hash algorithm). But if this happened, it is likely
that the CA would revoke the certificate.
CAs have not even revoked these certs which used the bad Debian keys.
MD5 could be shut down more easily by just having apps disable it in the
software, (using an app uipdate, admitedly, but that's needed for
security purposes anyways), rather than revoking certs.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
