Re: [SECURITY] [DSA 1888-1] New openssl packages deprecate MD2 hash signatures
* Philipp Kern:
> Those are Root CAs with MD2 signatures on them. This does not mean that they
> use MD2 to sign others, of course. Are those an attack vector and ought those
> to be dropped from the package?
The attack vector requires a complete break of MD2. You'd take that
published RSA-based self-signature on an MD2 hash value, and construct
something which hashes to the same value under MD2, but is more
meaningful than a self-signature (it could be another CA certificate,
for instance).
Cryptographically, self-signatures on root CA certificates do not
matter. Some implementations check them, but this is a mere
consistency check, adding no security value.
Reply to: