Re: [SECURITY] [DSA 1888-1] New openssl packages deprecate MD2 hash signatures
On Wed, Sep 16, 2009 at 12:02:11AM +0200, Philipp Kern wrote:
> On Tue, Sep 15, 2009 at 11:37:22PM +0200, Moritz Muehlenhoff wrote:
> > Certificates with MD2 hash signatures are no longer accepted by OpenSSL,
> > since they're no longer considered cryptographically secure.
>
> looking at ca-certificates it would affect those certs from the Mozilla
> truststore:
>
> Verisign_Class_1_Public_Primary_Certification_Authority.crt
> Verisign_Class_2_Public_Primary_Certification_Authority.crt
> Verisign_Class_3_Public_Primary_Certification_Authority.crt
> Verisign_RSA_Secure_Server_CA.crt
>
> Those are Root CAs with MD2 signatures on them. This does not mean that they
> use MD2 to sign others, of course. Are those an attack vector and ought those
> to be dropped from the package? Especially as we store them on the user's
> system it should not be possible to spoof another key with a hash collision
> as only the one on disk should be trusted?
Since MD2 is ignored, no spoofing should be possible. And as long as
top-level self-signatures aren't checked[1], it should be fine to leave
those certs until they are updated (AFAIK, Verisign has re-signed their
top-level certs with SHA-1).
-Kees
[1] http://marc.info/?l=openssl-cvs&m=124508133203041&w=2
--
Kees Cook @debian.org
Reply to: