On Tuesday 30 December 2008 22:07:08 Kyle Hamilton wrote:
I would suggest requiring all new roots approved to state that they do
not and will not use MD5 in any newly-minted certificate (except
possibly in a configuration like the TLS pseudo-random function).
FWIW, Comodo have never signed
A presentation was given at this year's Chaos Communication Congress in
which it was described how researchers were apparently able to produce
authentic signed SSL certificates thanks to a handful of CAs who rely on
MD5. If true, is it time to disable MD5 by default?
I would suggest requiring all new roots approved to state that they do
not and will not use MD5 in any newly-minted certificate (except
possibly in a configuration like the TLS pseudo-random function).
This is not yet policy, though it should be. (FWIW, this was known
two years ago.)
-Kyle H
* Kyle Hamilton:
I would suggest requiring all new roots approved to state that they do
not and will not use MD5 in any newly-minted certificate (except
possibly in a configuration like the TLS pseudo-random function).
If they issue certificates for sub-CAs, they have no technical means
to
4 matches
Mail list logo
