Re: "Certification Authorities are recommended to stop using MD5 altogether"
On Mittwoch, 31. Dezember 2008, Cristian Ionescu-Idbohrn wrote:
> http://www.win.tue.nl/hashclash/rogue-ca/
>
> Could some skilled person comment on the article?
>
> I noticed around 20 certificates distributed with the package
> ca-certificates have "Signature Algorithm: md5WithRSAEncryption".
> Reason to worry?
>
It is a problem. It's a reason to worry.
But it is only one of many.
(They mentioned that in their presentation: It's a matter
of trust :-) )
Don't trust certificates too much.
See following links for more information:
Homepage Peter Gutman:
http://www.cs.auckland.ac.nz/~pgut001/
http://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf
Peter Gutman, PKI: It's Not Dead, Just Resting 2002
http://www2.computer.org/portal/web/csdl/doi/10.1109/MC.2002.1023787
On the Security of Today’s Online Electronic Banking Systems
http://dx.doi.org/10.1016/S0167-4048(02)00312-7
Quite old, but you get the message...
Hope that helps...
Reply to: