Re: [SECURITY] [DSA 1888-1] New openssl packages deprecate MD2 hash signatures

[Kees Cook <kees@debian.org>]

On Wed, Sep 16, 2009 at 12:02:11AM +0200, Philipp Kern wrote:
> On Tue, Sep 15, 2009 at 11:37:22PM +0200, Moritz Muehlenhoff wrote:
> > Certificates with MD2 hash signatures are no longer accepted by OpenSSL,
> > since they're no longer considered cryptographically secure.
> 
> looking at ca-certificates it would affect those certs from the Mozilla
> truststore:
> 
> Verisign_Class_1_Public_Primary_Certification_Authority.crt
> Verisign_Class_2_Public_Primary_Certification_Authority.crt
> Verisign_Class_3_Public_Primary_Certification_Authority.crt
> Verisign_RSA_Secure_Server_CA.crt
> 
> Those are Root CAs with MD2 signatures on them.  This does not mean that they
> use MD2 to sign others, of course.  Are those an attack vector and ought those
> to be dropped from the package?  Especially as we store them on the user's
> system it should not be possible to spoof another key with a hash collision
> as only the one on disk should be trusted?

Since MD2 is ignored, no spoofing should be possible.  And as long as
top-level self-signatures aren't checked[1], it should be fine to leave
those certs until they are updated (AFAIK, Verisign has re-signed their
top-level certs with SHA-1).

-Kees

[1] http://marc.info/?l=openssl-cvs&m=124508133203041&w=2

-- 
Kees Cook                                            @debian.org