Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate

[Yoav Nir <ynir@checkpoint.com>]

On Jan 2, 2009, at 5:35 PM, Robert Moskowitz wrote:

>> Since MD5 is known bad and potentially dangerous at this point, I  
>> would
>> suggest that the best client side action would be to fail to verify  
>> any
>> signatures created using MD5.  This will break some things,  
>> especially if
>> existing business processes are relying on a certificate signed  
>> with MD5.
>> However, it is a fail-safe and would prevent a rogue CA certificate  
>> created
>> in this fashion from being considered trustworthy.
>>
>> And to Santosh's point (and others), my earlier email about
>> removing/replacing trust anchors was not because the self-signed
>> certificates are signed using MD5; I agree the trust anchor public  
>> keys are
>> protected using other mechanisms.  I am recommending that if CAs do  
>> nothing
>> to prevent this kind of attack (non-random serial numbers, issue
>> certificates signed with MD5, issue certificates in an automated,
>> predictable fashion) that those CAs should be removed from trust  
>> lists
>> because they are no longer acting in the interest of the relying  
>> party--they
>> are an accomplice to the creation of these rogue certificates.
> Peter,
>
> This sounds great at an IETF mike, but out in the field how do you  
> get all those millions of browsers to pull down a new trust list  
> that will no longer include CA foobar?
>
> Can't happen now, and the way things are going, ain't going to  
> happen before 2026 either.

There's this one company such that if they use Windows update to  
update their browsers, the others will follow. Technically, it's very  
easy to get rid of the bad CAs. However, that company is not going to  
modify their browsers, not now, probably not in the next few years.

> So what tool do we have to get compliance to best practices? The  
> good old 5th estate, get out their and give bad press to foobar  
> until they fix their behaviour or their business model collapses and  
> they go out of business and can no longer issue potentially rogue  
> certs.

I don't think you can get a message like that across. This story  
evokes more of the "Wow! Clever hackers with 200 playstations"  
sentiment, not the "criminal negligence" sentiment. You can't get the  
media angry with a company unless the negligence causes something  
spectacular, like an exploding Ford Pinto. Even Jesse Walker's "unsafe  
at any keylength" article didn't have quite the impact of the  
original. And people still use WEP.

> We can talk and posture all we want in the IETF. We are rather good  
> at that, IMNSHO. But this is perfect proof of our impact as such on  
> the business model of companies that use our technology; they will  
> do what is expedient, not what is Best Practices.

Best we can do is to get the CAs to

(1) not issue MD5 certs anymore and
(2) randomize the serial number and/or
(3) and a random fluff extension that people are talking about

But still, I don't see Microsoft removing a root CA because one of  
their sub-CAs is issuing non-compliant certificates.

And if Microsoft don't, nobody else will. The Firefox/Opera/Safari/ 
Chrome people don't want any sites that "only work with Explorer".


Email secured by Check Point
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag