IETF Logo Mail Archive

Re: [saag] Further MD5 breaks: Creating a rogue CA certificate

Yoav Nir <ynir@checkpoint.com> Tue, 30 December 2008 22:02 UTC

Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6AA2A28C2E6; Tue, 30 Dec 2008 14:02:42 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1280028C2DF for <saag@core3.amsl.com>; Tue, 30 Dec 2008 14:02:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.608
X-Spam-Level:
X-Spam-Status: No, score=-2.608 tagged_above=-999 required=5 tests=[AWL=-0.009, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p6RTzHqq0fhP for <saag@core3.amsl.com>; Tue, 30 Dec 2008 14:02:41 -0800 (PST)
Received: from dlpdemo.checkpoint.com (dlpdemo.checkpoint.com [194.29.32.54]) by core3.amsl.com (Postfix) with ESMTP id E60D728C2E6 for <saag@ietf.org>; Tue, 30 Dec 2008 14:02:40 -0800 (PST)
Received: by dlpdemo.checkpoint.com (Postfix, from userid 105) id E614A29C002; Wed, 31 Dec 2008 00:02:29 +0200 (IST)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by dlpdemo.checkpoint.com (Postfix) with ESMTP id 7F09C29C001; Wed, 31 Dec 2008 00:02:08 +0200 (IST)
X-CheckPoint: {495A98AD-10000-88241DC2-7B6}
Received: from [172.31.21.158] (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id mBUM27fE029359; Wed, 31 Dec 2008 00:02:08 +0200 (IST)
Message-Id: <9D2E555A-7A24-4FA7-ABF9-33F6F55AA8F2@checkpoint.com>
From: Yoav Nir <ynir@checkpoint.com>
To: RL 'Bob' Morgan <rlmorgan@washington.edu>
In-Reply-To: <alpine.LFD.1.10.0812301313570.2644@perf.cac.washington.edu>
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Wed, 31 Dec 2008 00:02:07 +0200
References: <200812301605.mBUG5cKU027325@raisinbran.srv.cs.cmu.edu> <9535147E88DA266C69B983D0@atlantis.pc.cs.cmu.edu> <p0624081dc5802a331eac@[10.20.30.158]> <alpine.LFD.1.10.0812301313570.2644@perf.cac.washington.edu>
X-Mailer: Apple Mail (2.930.3)
Cc: ietf-pkix@imc.org, ietf-smime@imc.org, cfrg@irtf.org, saag@ietf.org
Subject: Re: [saag] Further MD5 breaks: Creating a rogue CA certificate
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org

>> Regardless of that, the authors of the MD5 paper are correct: trust  
>> anchors signed with MD5 are highly questionable as of today (well,  
>> actually, since they published their last paper). Hopefully, the  
>> maintainers of the popular trust anchor repositories (Microsoft,  
>> Mozilla, etc.) will yank out the trust anchors signed with MD5 (and  
>> MD2!) as soon as possible.
>
> This is a different claim than "CAs should stop issuing certs with  
> MD5 signatures", which is what I as an amateur take away from a  
> quick scan of the material.  Obviously MD5 is suspect in various  
> ways, but does this new work lead to the conclusion that MD5-signed  
> roots are untrustworthy today?
> Replacing a root is a much bigger deal then changing signing  
> practices.
>
> - RL "Bob"

CAs should have stopped issuing certs with MD5 signatures 4 years ago,  
when the first practical attacks on MD5 were published.

Now it would be more correct to say that "relying parties should treat  
as invalid any certificate chain that contains an MD5 (or MD2, MD4)  
signature"

Since in the HTTPS context the relying parties are the browsers, it  
falls to the vendors (if Microsoft leads, everyone will follow) to, as  
Paul said, yank the trust anchors.

It should be noted, though, that yanking the trust anchors is not  
enough. You really should change the relying party to not recognize  
this algorithm. Otherwise, it's perfectly valid for a CA whose  
certificate is signed with SHA1 to sign an intermediate CA certificate  
with MD5 (although they usually don't do that, I hope)


Email secured by Check Point
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email