On Sat, May 2, 2009 at 4:27 AM, Jonathan Schleifer
<[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> The biggest problem about it is that most of the root CAs use SHA-1. As
> it's possible for a well funded organization to generate collisions, it
> makes MITM possible. This is a big problem, as we depend a lot on TLS.
It's more complicated than that. You need to be able to generate
collisions with specific prefixes ("chosen prefix collisions")
*and* you need the CA to use a predictable sequence number.
As long as the CA uses random sequence numbers of sufficient
lenght, then this attack is not possible. Even without that, it's
not clear to me that the attack allows chosen prefix collisions.
-Ekr
