Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CA certificate

[Jeffrey Hutzelman <jhutz@cmu.edu>]

--On Tuesday, December 30, 2008 04:36:12 PM -0600 Nicolas Williams 
<Nicolas.Williams@sun.com> wrote:

> Applying a principle of redundancy in RTI algorithms to symmetric key
> protocols is fairly simple.  Applying such a principle to PKI seems
> rather more difficult -- it's not just hash algorithms, but pk
> algorithms too.  Your example was to require not just the implementation
> of multiple hash (but not pk) algorithms, but to require the *use* of
> those.  That makes sense to me, but it's not quite the same principle
> being applied to PKI as to SSH.

Correct.  I'm suggesting that in the case of PKI, merely having two RTI 
algorithms wouldn't be sufficient; at least for long-term certificates you 
need to actually sign using two algorithms in order to get the 
interoperability benefit.  Validating using both isn't necessary, though it 
does have a benefit, in that no code or configuration changes are required 
to continue to be safe as long as at least one is good enough.

IMHO, one of the biggest problems in the current PKI standards is that 
there is no ability to future-proof certificates by generating signatures 
with multiple algorithms.  The result is that you can't start signing with 
a new algorithm until everyone understands it, and you can't stop accepting 
an old algorithm without either reissuing lots of certificates with a new 
one or waiting for them to expire.  This means movement is very slow and we 
are unable to abandon a broken algorithm in a hurry.  The former is poor; 
the latter is a disaster waiting to happen.

-- Jeff
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag