http://www.cs.columbia.edu/~smb/blog//2008-12/2008-12-30.html
Steve mentions the social pressures involved in disclosing the vulnerability: Verisign, in particular, appears to have been caught short. One of the CAs they operate still uses MD5. They said: The RapidSSL certificates are currently using the MD5 hash function today. And the reason for that is because when you're dealing with widespread technology and [public key infrastructure] technology, you have phase-in and phase-out processes that cane take significant periods of time to implement. ... [4 years?] Legal pressure? Sotirov and company are not "hackers"; they're respected researchers. But the legal climate is such that they feared an injunction. Nor are such fears ill-founded; others have had such trouble. Verisign isn't happy: "We're a little frustrated at Verisign that we seem to be the only people not briefed on this". But given that the researchers couldn't know how Verisign would react, in today's climate they felt they had to be cautious. This is a dangerous trend. If good guys are afraid to find flaws in fielded systems, that effort will be left to the bad guys. Remember that for academics, publication is the only way they're really "paid". We need a legal structure in place to protect security researchers. To paraphrase an old saying, security flaws don't crack systems, bad guys do. -- The researchers provided information under NDA to browser manufacturers and Microsoft contacted Verisign providing no real details (http://blog.wired.com/27bstroke6/2008/12/berlin.html , the Wired article.): Callan confirms Versign was contacted by Microsoft, but he says the NDA prevented the software-maker from providing any meaningful details on the threat. "We're a little frustrated at Verisign that we seem to be the only people not briefed on this," he says. The researchers expect that their forged CA certificate will be revoked by Verisign following their talk, rendering it powerless. As a precaution, they set the expiration date on the certificate to August 2004, ensuring that any website validated through the bogus certificate would generate a warning message in a user's browser. --- The 2007 paper http://www.win.tue.nl/hashclash/EC07v2.0.pdf Chosen-prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities, Marc Stevens , Arjen Lenstra , and Benne de Weger (also from the Wired article) -- Nate Lawson's comments http://rdist.root.org/2008/12/30/forged-ca-cert-talk-at-25c3/ To paraphrase Gibson, Crypto security is available already, it just isnt equally distributed. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com