>Here are the MD5 certificate numbers we measured using Google Chrome's >usage statistics collection service: >http://dev.chromium.org/developers/md5-certificate-statistics
I don't see any way to edit that page, so I'll have to correct it here. The first sentence is deceptively wrong, as we have discussed on this mailing list many times. The attack is not on "CAs that issue certificates signed with MD5-based signatures", it is on "CAs that issue certificates signed with MD5-based signatures and whose serial number and date of issue and revocation is predictable". There is a huge difference. This makes the second sentence, "As a result, some browser developers are planning to drop support of MD5 certificates at some point" somewhat wrong as well. It would be much better stated "Because a browser cannot determine whether or not a CA uses unpredictable serial number and date of issue and revocation, some browser vendors...". --Paul Hoffman -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
