Cristian Ionescu-Idbohrn wrote: > http://www.win.tue.nl/hashclash/rogue-ca/ > > Could some skilled person comment on the article? > > I noticed around 20 certificates distributed with the package > ca-certificates have "Signature Algorithm: md5WithRSAEncryption". > Reason to worry? > >
Hi, (I'm one of the authors of that research) It's not entirely terrible (yet) that certificate authorities sign their own certificate with MD5. If and when a second preimage attack becomes a reality for MD5; it will be very bad news indeed... Best, Jacob -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org