Re: [therightkey] algorithm blacklisting

Carl Wallace <> Fri, 03 January 2014 17:45 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 77C061ADFE0 for <>; Fri, 3 Jan 2014 09:45:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.601
X-Spam-Status: No, score=-4.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id u2ScWBpRIHOW for <>; Fri, 3 Jan 2014 09:45:43 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id B3FA71ADFD7 for <>; Fri, 3 Jan 2014 09:45:42 -0800 (PST)
Received: by with SMTP id t7so15599227qeb.6 for <>; Fri, 03 Jan 2014 09:45:35 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:user-agent:date:subject:from:to:message-id :thread-topic:references:in-reply-to:mime-version:content-type :content-transfer-encoding; bh=9C87o0dSYhowEWx2Httbgdf0xjCNQKJPvevBnUhwWtw=; b=ef+TrARR5nfVqzrDT/ty0peBDu0msCkeWDNYFOQK2YIgfJedFQqooI1u9uYIOlmb4u 1DpwI0y/VfJJwxaQxHEPcnFmEpKSGo0cm2vBeoDlQusYOvTWMjr8VTJh66Fo1dgHqm0C guxfxtkduue3zrrk941bbcsllct2SfPiaGlwyFA7LRDKXR/ZeFLuyTsdzJOysmGfjwu4 mwd8P1qx+0iCjp2ISXHF/clGIS5S1sXKpIZYUIb9L0FQ8BC7LChqxseOrNdFg8kiOb0I Vzgxvg5RmWtXTkJlh1Z6a/JiWQq7tKgmLJy35jpYzfPMaIHpEGwitlA9GOb36xiDQ7dL F01Q==
X-Gm-Message-State: ALoCoQkb0BwdNUZ80rMDoPagFtKS1bW3JWVrRoglVuBTdn79Dj1oS7+qq9159c6HU08gvRCXd43S
X-Received: by with SMTP id q5mr155441264qek.48.1388771135222; Fri, 03 Jan 2014 09:45:35 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id p20sm86650650qay.0.2014. for <> (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 03 Jan 2014 09:45:34 -0800 (PST)
User-Agent: Microsoft-MacOutlook/
Date: Fri, 03 Jan 2014 12:45:32 -0500
From: Carl Wallace <>
To: <>
Message-ID: <>
Thread-Topic: [therightkey] algorithm blacklisting
References: <> <>
In-Reply-To: <>
Mime-version: 1.0
Content-type: text/plain; charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable
Subject: Re: [therightkey] algorithm blacklisting
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 03 Jan 2014 17:45:45 -0000

On 1/3/14, 12:37 PM, "Ralph Holz" <> wrote:

>>> Alternatively, pull the root cert from which MD5 signatures were
>>> As the MD5 attack still had considerable cost (for the hobby blackhat,
>>> not a 3-letter agency), it was deemed that this must suffice for a
>> To make the discussion CT-compliant, having logs provide a list of
>> algorithms that are used by each CA would be a nice feature to enable
>> decisions like this.
>Although, in the case you mention, that would not help all that much.
>Fortunately, the days of MD5 in X.509 are over.

I imagine other algorithms will see a similar fate at some point.

>But in fact, I've been thinking for a while that an additional
>monitoring infrastructure would be a nice-to-have thing in addition to
>CT --- and, FWIW, also TACK --- I view both drafts as naturally
>complementing each other.

Yes, better monitoring tools would be very helpful.

>CT, for example, is not meant to address the issue of whether
>certificates have been deployed correctly (e.g. correct host). I think
>active scans are still worthwhile to collect such information.

Identifying types of metrics that are useful to draw from a CT collections
seems like a worthwhile exercise.  Improved awareness of how a CA is used
sits under many suggestions, such as yours above to remove root CAs that
have used MD5.   

>Ralph Holz
>I8 - Network Architectures and Services
>Technische Universit√§t M√ľnchen
>Phone +
>PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF
>therightkey mailing list