[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tlsa for smtp to @bugs.debian.org

On Fri, Sep 13, 2013 at 11:31:38PM +0200, Paul Wise wrote:
> On Fri, Sep 13, 2013 at 10:51 PM, Kurt Roeckx wrote:
> 
> > A self-signed cert's signature algorithm really isn't that
> > important.  You either trust that cert or you don't.
> 
> Surely this work would apply to self-signed certs too?
> 
> http://www.win.tue.nl/hashclash/rogue-ca/

Please note that there are 2 signatures involved here.  One is the
root CA signing itself.  The other is root CA signing an other
certificate, which might be an other CA.

Like I said, for the self-signature it's not important.  You
important the public key that is part of the cert and say that
you trust that.  There is no need for it to sign itself other
than that X509 requires a signature.

If you for instance compare this to SSH, you only transfer
the public key of either the user or the server.  It's never
signed.

But the CA shouldn't use md5 to sign someone elses cert.


Kurt
Reply to: