Re: "Certification Authorities are recommended to stop using MD5 altogether"

To: debian-security@lists.debian.org
Subject: Re: "Certification Authorities are recommended to stop using MD5 altogether"
From: Sam Morris <sam@robots.org.uk>
Date: Thu, 1 Jan 2009 14:56:52 +0000 (UTC)
Message-id: <[🔎] pan.2009.01.01.14.56.52@robots.org.uk>
References: <0812310232100.8102@somehost>

On Wed, 31 Dec 2008 02:39:53 +0100, Cristian Ionescu-Idbohrn wrote:

> http://www.win.tue.nl/hashclash/rogue-ca/
> 
> Could some skilled person comment on the article?
> 
> I noticed around 20 certificates distributed with the package
> ca-certificates have "Signature Algorithm: md5WithRSAEncryption". Reason
> to worry?
> 
> 
> Cheers,

As an aside to my previous post, you may find the following link 
interesting:

https://bugzilla.mozilla.org/show_bug.cgi?id=471539

Maybe in a few years, NSS will have disabled the use of MD5 and the 
ancient MD2 algorithm. I wonder how many other insecure algorithms are 
still lurking in NSS, OpenSSL, GNU TLS, Java, etc...

-- 
Sam Morris
https://robots.org.uk/

Reply to:

Follow-Ups:
- Re: "Certification Authorities are recommended to stop using MD5 altogether"
  - From: "Michael Marsh" <michael.a.marsh@gmail.com>
- Re: "Certification Authorities are recommended to stop using MD5 altogether"
  - From: Simon Josefsson <simon@josefsson.org>

Prev by Date: Re: "Certification Authorities are recommended to stop using MD5 altogether"
Next by Date: Re: "Certification Authorities are recommended to stop using MD5 altogether"
Previous by thread: Re: "Certification Authorities are recommended to stop using MD5 altogether"
Next by thread: Re: "Certification Authorities are recommended to stop using MD5 altogether"
Index(es):
- Date
- Thread