Re: "Certification Authorities are recommended to stop using MD5 altogether"
On Wed, 31 Dec 2008 02:39:53 +0100, Cristian Ionescu-Idbohrn wrote:
> Could some skilled person comment on the article?
> I noticed around 20 certificates distributed with the package
> ca-certificates have "Signature Algorithm: md5WithRSAEncryption". Reason
> to worry?
Nah. What we really need to do, is patch the crypto libs use the
certificates in ca-certificates to disable the use of broken algorithms
such as MD5.
But at the end of the day, unless you actually do OCSP validation of
every single connection you make, you are already running the risk of
And even then, you are basically relying on the CA companies to perform
the task of validating the identities of certificate-holders, when they
make a lot more money by simply rubber-stamping everything they see. :)
Happy new year, and sleep well. ;)