Paul Hoffman wrote, On 2008-12-30 12:43:
> At 8:39 AM -0800 12/30/08, Nelson B Bolyard wrote:
>> The upshot of this is probably going to be that, in a short time, all 
>> the world's browsers (and PKI software in general) stop supporting MD5 
>> for use in digital signatures.

I should have written: digital signatures on certificates.
The patch that I wrote only affects signatures on digital certificates.

> That is not what the paper advocates. It suggests stopping support for
> MD5 in the signature algorithm for *trust anchors*, not in other
> messages. It should probably have also made the same recommendation for
> the signature algorithm in intermediate certificates as well (I take
> partial blame for it not saying that...).

> The attack outlined is a collision attack, not a preimage attack. Signed
> messages that use MD5 in the signature algorithm, but where the content
> of the message is determined by the signer, are not affected by the
> attack. Thus, if we "stop supporting MD5 for use in digital signatures"
> we will needlessly affect probably tens of thousands of legitimate web
> sites for which there is absolutely no known attack.

Agreed.  For that matter, we could permit MD5 signatures on certs whose
serial numbers are known to be random rather than sequential.  But that's
not easy to determine by examining the cert itself.

> Of course, the trust anchor store for Firefox should be revised as soon
> as possible to include no trust anchors that use MD5 in their signature
> algorithm. 

Well, of course, it's not the signature on the root CA cert itself that
matters.  It's the signature algorithm used on the certs issued by the
root.  And the issuer is always free to change that whenever they wish.
(Maybe they would have to change their CP/CPS if they did that.)  No
change to the trust anchor itself is required.

> Similarly, the trust anchor store for Firefox should be revised as soon
> as possible to include no trust anchors that use MD5 in their signature
> algorithm.

The last two sentences are both about MD5.  Did you mean MD2

> Although the attack described in the paper does not directly affect MD2,
> it is very likely that the same math used by the researchers could be
> applied to MD2 as well.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to