IETF Logo Mail Archive

Re: [saag] Further MD5 breaks: Creating a rogue CA certificate

"Peter Hesse" <pmhesse@geminisecurity.com> Mon, 05 January 2009 06:54 UTC

Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A53803A6AC1; Sun, 4 Jan 2009 22:54:24 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2EF6128C1F1 for <saag@core3.amsl.com>; Tue, 30 Dec 2008 13:40:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ADEJDCkXw2gi for <saag@core3.amsl.com>; Tue, 30 Dec 2008 13:40:00 -0800 (PST)
Received: from prospect.joyent.us (prospect.joyent.us [8.12.36.36]) by core3.amsl.com (Postfix) with ESMTP id 188A128C0D9 for <saag@ietf.org>; Tue, 30 Dec 2008 13:40:00 -0800 (PST)
Received: from PeterVistaSP1 (static-68-163-72-26.res.east.verizon.net [68.163.72.26]) by prospect.joyent.us (Postfix) with ESMTPSA id 14CD01ECC7; Tue, 30 Dec 2008 21:39:34 +0000 (GMT)
From: Peter Hesse <pmhesse@geminisecurity.com>
To: 'RL 'Bob' Morgan' <rlmorgan@washington.edu>, 'Paul Hoffman' <paul.hoffman@vpnc.org>
References: <200812301605.mBUG5cKU027325@raisinbran.srv.cs.cmu.edu> <9535147E88DA266C69B983D0@atlantis.pc.cs.cmu.edu> <p0624081dc5802a331eac@[10.20.30.158]> <alpine.LFD.1.10.0812301313570.2644@perf.cac.washington.edu>
In-Reply-To: <alpine.LFD.1.10.0812301313570.2644@perf.cac.washington.edu>
Date: Tue, 30 Dec 2008 16:39:34 -0500
Message-ID: <08bb01c96ac7$1cd5a750$5680f5f0$@com>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AclqxboXk3PuIMY0SLuDtNKXm7F2qQAAEKtA
Content-Language: en-us
X-Mailman-Approved-At: Sun, 04 Jan 2009 22:54:23 -0800
Cc: ietf-pkix@imc.org, ietf-smime@imc.org, cfrg@irtf.org, saag@ietf.org
Subject: Re: [saag] Further MD5 breaks: Creating a rogue CA certificate
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org

Ceasing the issuance of certificates with MD5 used in the signature doesn't
solve the problem of the certificates that have already been issued and are
still out there, any number of which may be rogue.

Replacing, or marking as untrusted all root certificates which have any
current valid (i.e. non-expired, non-revoked) certificates with MD5 used in
the signature could have tremendous undesirable impact and be an untenable
solution.

The right tool for the job is a client-side solution to fail validation of
any signature which uses MD5, especially certificate signatures.  I will not
hold my breath for such a solution.

--Peter 

----------------------------------------------------------------
 Peter Hesse                       pmhesse@geminisecurity.com
 http://securitymusings.com         http://geminisecurity.com



-----Original Message-----
From: owner-ietf-smime@mail.imc.org [mailto:owner-ietf-smime@mail.imc.org]
On Behalf Of RL 'Bob' Morgan
Sent: Tuesday, December 30, 2008 4:18 PM
To: Paul Hoffman
Cc: ietf-pkix@imc.org; ietf-smime@imc.org; saag@ietf.org; cfrg@irtf.org
Subject: Re: [saag] Further MD5 breaks: Creating a rogue CA certificate



> Regardless of that, the authors of the MD5 paper are correct: trust 
> anchors signed with MD5 are highly questionable as of today (well, 
> actually, since they published their last paper). Hopefully, the 
> maintainers of the popular trust anchor repositories (Microsoft, 
> Mozilla, etc.) will yank out the trust anchors signed with MD5 (and 
> MD2!) as soon as possible.

This is a different claim than "CAs should stop issuing certs with MD5 
signatures", which is what I as an amateur take away from a quick scan of 
the material.  Obviously MD5 is suspect in various ways, but does this new 
work lead to the conclusion that MD5-signed roots are untrustworthy today?
Replacing a root is a much bigger deal then changing signing practices.

  - RL "Bob"


_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email