IETF Logo Mail Archive

Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate

pgut001@cs.auckland.ac.nz (Peter Gutmann) Tue, 06 January 2009 08:44 UTC

Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CAFB93A67D2; Tue, 6 Jan 2009 00:44:23 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 26AEB3A67D2 for <saag@core3.amsl.com>; Tue, 6 Jan 2009 00:44:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.652
X-Spam-Level:
X-Spam-Status: No, score=-5.652 tagged_above=-999 required=5 tests=[AWL=0.947, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ueynBh-0qlG for <saag@core3.amsl.com>; Tue, 6 Jan 2009 00:44:22 -0800 (PST)
Received: from mailhost.auckland.ac.nz (larry.its.auckland.ac.nz [130.216.12.34]) by core3.amsl.com (Postfix) with ESMTP id 2D7D33A6778 for <saag@ietf.org>; Tue, 6 Jan 2009 00:44:20 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 7CAC71A20F; Tue, 6 Jan 2009 21:44:06 +1300 (NZDT)
X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz
Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (larry.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wXHL334utc-6; Tue, 6 Jan 2009 21:44:06 +1300 (NZDT)
Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 057771A202; Tue, 6 Jan 2009 21:44:00 +1300 (NZDT)
Received: from wintermute01.cs.auckland.ac.nz (wintermute01.cs.auckland.ac.nz [130.216.34.38]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id 78D7D1BE4002; Tue, 6 Jan 2009 21:43:56 +1300 (NZDT)
Received: from pgut001 by wintermute01.cs.auckland.ac.nz with local (Exim 4.63) (envelope-from <pgut001@wintermute01.cs.auckland.ac.nz>) id 1LK7XY-0004kA-BQ; Tue, 06 Jan 2009 21:43:56 +1300
From: pgut001@cs.auckland.ac.nz
To: tmiller@mitre.org, ynir@checkpoint.com
In-Reply-To: <49621BD4.1020909@mitre.org>
Message-Id: <E1LK7XY-0004kA-BQ@wintermute01.cs.auckland.ac.nz>
Date: Tue, 06 Jan 2009 21:43:56 +1300
Cc: cfrg@irtf.org, ietf-smime@imc.org, saag@ietf.org, pmhesse@geminisecurity.com, ietf-pkix@imc.org, mike-list@pobox.com
Subject: Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org

"Timothy J. Miller" <tmiller@mitre.org> writes:

>The only reliable way to nuke a trusted cert from Windows is touch management
>of workstations.

It's worse than that, there is no reliable way to remove trusted certs from
Windows.  See Paul Hoffman's analysis at
http://www.proper.com/root-cert-problem/.

Peter.

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email