IETF Logo Mail Archive

Re: [saag] Further MD5 breaks: Creating a rogue CA certificate

"Santosh Chokhani" <SChokhani@cygnacom.com> Tue, 30 December 2008 23:30 UTC

Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 70B5528C312; Tue, 30 Dec 2008 15:30:27 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E040F28C312 for <saag@core3.amsl.com>; Tue, 30 Dec 2008 15:30:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.232
X-Spam-Level:
X-Spam-Status: No, score=-1.232 tagged_above=-999 required=5 tests=[AWL=0.237, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EbeRUJgFPuqQ for <saag@core3.amsl.com>; Tue, 30 Dec 2008 15:30:25 -0800 (PST)
Received: from scygmxsecs1.cygnacom.com (scygmxsecs1.cygnacom.com [65.242.48.253]) by core3.amsl.com (Postfix) with SMTP id E95E028C20A for <saag@ietf.org>; Tue, 30 Dec 2008 15:30:24 -0800 (PST)
Received: (qmail 29881 invoked from network); 30 Dec 2008 23:30:38 -0000
Received: from SChokhani@cygnacom.com by scygmxsecs1.cygnacom.com with EntrustECS-Server-7.4; 30 Dec 2008 23:30:38 -0000
Received: from unknown (HELO scygexch1.cygnacom.com) (10.60.50.8) by scygmxsecs1.cygnacom.com with SMTP; 30 Dec 2008 23:30:38 -0000
Content-class: urn:content-classes:message
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Tue, 30 Dec 2008 18:30:13 -0500
Message-ID: <FAD1CF17F2A45B43ADE04E140BA83D4893657C@scygexch1.cygnacom.com>
In-Reply-To: <9D2E555A-7A24-4FA7-ABF9-33F6F55AA8F2@checkpoint.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [saag] Further MD5 breaks: Creating a rogue CA certificate
Thread-Index: AclqylLTk2EWxsuuQ1C7rI9Jvd/JmAADAnAQ
References: <200812301605.mBUG5cKU027325@raisinbran.srv.cs.cmu.edu><9535147E88DA266C69B983D0@atlantis.pc.cs.cmu.edu><p0624081dc5802a331eac@[10.20.30.158]><alpine.LFD.1.10.0812301313570.2644@perf.cac.washington.edu> <9D2E555A-7A24-4FA7-ABF9-33F6F55AA8F2@checkpoint.com>
From: Santosh Chokhani <SChokhani@cygnacom.com>
To: Yoav Nir <ynir@checkpoint.com>, RL 'Bob' Morgan <rlmorgan@washington.edu>
Cc: ietf-pkix@imc.org, ietf-smime@imc.org, cfrg@irtf.org, saag@ietf.org
Subject: Re: [saag] Further MD5 breaks: Creating a rogue CA certificate
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org

Let us leave the trust anchors alone.  Your challenge of protecting
trust anchors does not change even if you use SHA 512 or next generation
hash function yet to be determined.

-----Original Message-----
From: saag-bounces@ietf.org [mailto:saag-bounces@ietf.org] On Behalf Of
Yoav Nir
Sent: Tuesday, December 30, 2008 5:02 PM
To: RL 'Bob' Morgan
Cc: ietf-pkix@imc.org; ietf-smime@imc.org; cfrg@irtf.org; saag@ietf.org
Subject: Re: [saag] Further MD5 breaks: Creating a rogue CA certificate

>> Regardless of that, the authors of the MD5 paper are correct: trust  
>> anchors signed with MD5 are highly questionable as of today (well,  
>> actually, since they published their last paper). Hopefully, the  
>> maintainers of the popular trust anchor repositories (Microsoft,  
>> Mozilla, etc.) will yank out the trust anchors signed with MD5 (and  
>> MD2!) as soon as possible.
>
> This is a different claim than "CAs should stop issuing certs with  
> MD5 signatures", which is what I as an amateur take away from a  
> quick scan of the material.  Obviously MD5 is suspect in various  
> ways, but does this new work lead to the conclusion that MD5-signed  
> roots are untrustworthy today?
> Replacing a root is a much bigger deal then changing signing  
> practices.
>
> - RL "Bob"

CAs should have stopped issuing certs with MD5 signatures 4 years ago,  
when the first practical attacks on MD5 were published.

Now it would be more correct to say that "relying parties should treat  
as invalid any certificate chain that contains an MD5 (or MD2, MD4)  
signature"

Since in the HTTPS context the relying parties are the browsers, it  
falls to the vendors (if Microsoft leads, everyone will follow) to, as  
Paul said, yank the trust anchors.

It should be noted, though, that yanking the trust anchors is not  
enough. You really should change the relying party to not recognize  
this algorithm. Otherwise, it's perfectly valid for a CA whose  
certificate is signed with SHA1 to sign an intermediate CA certificate  
with MD5 (although they usually don't do that, I hope)


Email secured by Check Point
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email