Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate

Mike <mike-list@pobox.com> Mon, 05 January 2009 06:54 UTC

Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9A8AD28C0FD; Sun, 4 Jan 2009 22:54:26 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 379893A6A7F for <saag@core3.amsl.com>; Wed, 31 Dec 2008 09:08:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.542
X-Spam-Level:
X-Spam-Status: No, score=-2.542 tagged_above=-999 required=5 tests=[AWL=0.057, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UHbj89CUYEnR for <saag@core3.amsl.com>; Wed, 31 Dec 2008 09:08:49 -0800 (PST)
Received: from sasl.smtp.pobox.com (a-sasl-fastnet.sasl.smtp.pobox.com [207.106.133.19]) by core3.amsl.com (Postfix) with ESMTP id 0D4633A6883 for <saag@ietf.org>; Wed, 31 Dec 2008 09:08:47 -0800 (PST)
Received: from localhost.localdomain (unknown [127.0.0.1]) by a-sasl-fastnet.sasl.smtp.pobox.com (Postfix) with ESMTP id A7EB98CD08; Wed, 31 Dec 2008 12:04:09 -0500 (EST)
Received: from [192.168.1.8] (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-sasl-fastnet.sasl.smtp.pobox.com (Postfix) with ESMTPSA id AD05D8CCFD; Wed, 31 Dec 2008 12:04:05 -0500 (EST)
Message-ID: <495BA5E9.8040305@pobox.com>
Date: Wed, 31 Dec 2008 09:03:37 -0800
From: Mike <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.18 (Windows/20081105)
MIME-Version: 1.0
To: ietf-pkix@imc.org
References: <08bb01c96ac7$1cd5a750$5680f5f0$@com> <E1LHplH-0006Xw-V6@wintermute01.cs.auckland.ac.nz> <FAD1CF17F2A45B43ADE04E140BA83D4893658D@scygexch1.cygnacom.com> <495B8D28.6070601@mitre.org> <FAD1CF17F2A45B43ADE04E140BA83D489365A4@scygexch1.cygnacom.com>
In-Reply-To: <FAD1CF17F2A45B43ADE04E140BA83D489365A4@scygexch1.cygnacom.com>
X-Pobox-Relay-ID: 0A5CA3DC-D75D-11DD-B70C-5720C92D7133-38729857!a-sasl-fastnet.pobox.com
X-Mailman-Approved-At: Sun, 04 Jan 2009 22:54:23 -0800
Cc: ietf-smime@imc.org, cfrg@irtf.org, saag@ietf.org
Subject: Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org

> We are simply not vigilant enough.  This issue has been on our plate
> since 2004.
> 
> SHA-1 is next and neither the client side vendors nor the big
> Enterprises have pushed to move to SHA-256.

There is a simple fix -- a CA can just reorder the extensions prior
to issuing a certificate.

Mike
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag