Re: "Certification Authorities are recommended to stop using MD5 altogether"

To: Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn@axis.com>
Cc: debian-security@lists.debian.org
Subject: Re: "Certification Authorities are recommended to stop using MD5 altogether"
From: Jacob Appelbaum <jacob@appelbaum.net>
Date: Fri, 02 Jan 2009 03:35:43 +0100
Message-id: <[🔎] 495D7D7F.2060300@appelbaum.net>
In-reply-to: <0812310232100.8102@somehost>
References: <0812310232100.8102@somehost>

Cristian Ionescu-Idbohrn wrote:
> http://www.win.tue.nl/hashclash/rogue-ca/
> 
> Could some skilled person comment on the article?
> 
> I noticed around 20 certificates distributed with the package
> ca-certificates have "Signature Algorithm: md5WithRSAEncryption".
> Reason to worry?
> 
> 

Hi,

(I'm one of the authors of that research)

It's not entirely terrible (yet) that certificate authorities sign their
own certificate with MD5. If and when a second preimage attack becomes a
reality for MD5; it will be very bad news indeed...

Best,
Jacob

Reply to:

Prev by Date: Re: Certification Authorities are recommended to stop using MD5 altogether
Next by Date: Re: "Certification Authorities are recommended to stop using MD5 altogether"
Previous by thread: Re: "Certification Authorities are recommended to stop using MD5 altogether"
Next by thread: Re: "Certification Authorities are recommended to stop using MD5 altogether"
Index(es):
- Date
- Thread