IETF Logo Mail Archive

Re: [saag] Further MD5 breaks: Creating a rogue CA certificate

der Mouse <mouse@Rodents-Montreal.ORG> Mon, 05 January 2009 10:07 UTC

Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ED51B3A677E; Mon, 5 Jan 2009 02:07:41 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9D16A3A677E; Mon, 5 Jan 2009 02:07:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.082
X-Spam-Level:
X-Spam-Status: No, score=-9.082 tagged_above=-999 required=5 tests=[AWL=0.906, BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fT6w0tIs71yO; Mon, 5 Jan 2009 02:07:39 -0800 (PST)
Received: from Sparkle.Rodents-Montreal.ORG (Sparkle.Rodents-Montreal.ORG [216.46.5.7]) by core3.amsl.com (Postfix) with ESMTP id 507583A63CB; Mon, 5 Jan 2009 02:07:39 -0800 (PST)
Received: (from mouse@localhost) by Sparkle.Rodents-Montreal.ORG (8.8.8/8.8.8) id FAA20784; Mon, 5 Jan 2009 05:06:55 -0500 (EST)
From: der Mouse <mouse@Rodents-Montreal.ORG>
Message-Id: <200901051006.FAA20784@Sparkle.Rodents-Montreal.ORG>
Mime-Version: 1.0
X-Erik-Conspiracy: There is no Conspiracy - and if there were I wouldn't be part of it anyway.
X-Message-Flag: Microsoft: the company who gave us the botnet zombies.
Date: Mon, 05 Jan 2009 04:57:19 -0500
To: ietf-pkix@imc.org, ietf-smime@imc.org, cfrg@irtf.org, saag@ietf.org
In-Reply-To: <alpine.LFD.1.10.0812301313570.2644@perf.cac.washington.edu>
References: <200812301605.mBUG5cKU027325@raisinbran.srv.cs.cmu.edu> <9535147E88DA266C69B983D0@atlantis.pc.cs.cmu.edu> <p0624081dc5802a331eac@[10.20.30.158]> <alpine.LFD.1.10.0812301313570.2644@perf.cac.washington.edu>
Subject: Re: [saag] Further MD5 breaks: Creating a rogue CA certificate
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org

>> [...]
> This is a different claim than "CAs should stop issuing certs with
> MD5 signatures", which is what I as an amateur take away from a quick
> scan of the material.

What I, as an amateur, take away from it is approximately "MD5 is
showing more and more cracks and nobody should use it for anything that
needs to withstand a malicious adversary".

These may be the best openly published breaks of MD5 at the moment, but
I don't for a moment believe nobody has anything better - and I'm quite
sure the time to stop using it is now, when it can be done gracefully,
rather than in a frantic scramble a few months or years from now when
someone publishes a much more blatant break.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse@rodents-montreal.org
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email