On Wed, 31 Dec 2008 02:39:53 +0100, Cristian Ionescu-Idbohrn wrote: > http://www.win.tue.nl/hashclash/rogue-ca/ > > Could some skilled person comment on the article? > > I noticed around 20 certificates distributed with the package > ca-certificates have "Signature Algorithm: md5WithRSAEncryption". Reason > to worry?
Nah. What we really need to do, is patch the crypto libs use the certificates in ca-certificates to disable the use of broken algorithms such as MD5. But at the end of the day, unless you actually do OCSP validation of every single connection you make, you are already running the risk of being MitM'd. And even then, you are basically relying on the CA companies to perform the task of validating the identities of certificate-holders, when they make a lot more money by simply rubber-stamping everything they see. :) > Cheers, Happy new year, and sleep well. ;) -- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org