On Mittwoch, 31. Dezember 2008, Cristian Ionescu-Idbohrn wrote: > http://www.win.tue.nl/hashclash/rogue-ca/ > > Could some skilled person comment on the article? > > I noticed around 20 certificates distributed with the package > ca-certificates have "Signature Algorithm: md5WithRSAEncryption". > Reason to worry? >
It is a problem. It's a reason to worry. But it is only one of many. (They mentioned that in their presentation: It's a matter of trust :-) ) Don't trust certificates too much. See following links for more information: Homepage Peter Gutman: http://www.cs.auckland.ac.nz/~pgut001/ http://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf Peter Gutman, PKI: It's Not Dead, Just Resting 2002 http://www2.computer.org/portal/web/csdl/doi/10.1109/MC.2002.1023787 On the Security of Today’s Online Electronic Banking Systems http://dx.doi.org/10.1016/S0167-4048(02)00312-7 Quite old, but you get the message... Hope that helps... -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org