Re: "Certification Authorities are recommended to stop using MD5 altogether"

To: Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn@axis.com>
Cc: debian-security@lists.debian.org
Subject: Re: "Certification Authorities are recommended to stop using MD5 altogether"
From: Florian Weimer <fw@deneb.enyo.de>
Date: Wed, 31 Dec 2008 16:30:59 +0100
Message-id: <[🔎] 87bpusmkek.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 0812310232100.8102@somehost> (Cristian Ionescu-Idbohrn's message of "Wed, 31 Dec 2008 02:39:53 +0100 (CET)")
References: <[🔎] 0812310232100.8102@somehost>

* Cristian Ionescu-Idbohrn:

> I noticed around 20 certificates distributed with the package
> ca-certificates have "Signature Algorithm: md5WithRSAEncryption".
> Reason to worry?

These are self-signatures and typically not checked anyway.  When
these CA certificates are used to issue other certificates, they can
use SHA-1, and are not restricted to MD5.  (Same comment applies to
the certificates with MD2 self-signatures.)

Only the CA knows if it still issues certificates with MD5 signatures.

Reply to:

References:
- "Certification Authorities are recommended to stop using MD5 altogether"
  - From: Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn@axis.com>

Prev by Date: Re: "Certification Authorities are recommended to stop using MD5 altogether"
Next by Date: Re: "Certification Authorities are recommended to stop using MD5 altogether"
Previous by thread: Re: "Certification Authorities are recommended to stop using MD5 altogether"
Next by thread: correspondance avec toi
Index(es):
- Date
- Thread