Re: [SECURITY] [DSA 1888-1] New openssl packages deprecate MD2 hash signatures

To: debian-security@lists.debian.org
Cc: pkern@debian.org
Subject: Re: [SECURITY] [DSA 1888-1] New openssl packages deprecate MD2 hash signatures
From: Florian Weimer <fw@deneb.enyo.de>
Date: Wed, 16 Sep 2009 05:25:32 +0000
Message-id: <[🔎] 87iqfjv4tv.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 20090915220210.GA28843@kelgar.0x539.de> (Philipp Kern's message of "Wed, 16 Sep 2009 00:02:11 +0200")
References: <20090915213722.GA26330@galadriel.inutil.org> <[🔎] 20090915220210.GA28843@kelgar.0x539.de>

* Philipp Kern:

> Those are Root CAs with MD2 signatures on them.  This does not mean that they
> use MD2 to sign others, of course.  Are those an attack vector and ought those
> to be dropped from the package?

The attack vector requires a complete break of MD2.  You'd take that
published RSA-based self-signature on an MD2 hash value, and construct
something which hashes to the same value under MD2, but is more
meaningful than a self-signature (it could be another CA certificate,
for instance).

Cryptographically, self-signatures on root CA certificates do not
matter.  Some implementations check them, but this is a mere
consistency check, adding no security value.

Reply to:

References:
- Re: [SECURITY] [DSA 1888-1] New openssl packages deprecate MD2 hash signatures
  - From: Philipp Kern <pkern@debian.org>

Prev by Date: Re: [SECURITY] [DSA 1888-1] New openssl packages deprecate MD2 hash signatures
Next by Date: Re: signatures for debs installed manually
Previous by thread: Re: [SECURITY] [DSA 1888-1] New openssl packages deprecate MD2 hash signatures
Next by thread: Re: [SECURITY] [DSA 1888-1] New openssl packages deprecate MD2 hash signatures
Index(es):
- Date
- Thread