RE: MD5 algorithm in XSEC

[Milan Tomic]

Title: Nachricht

Hello Werner,   Are you aware of recent collision findings for MD5 algorithm?   For example:   1. Two certificates with the same MD5 digest (both certificates differs in only few (5 or 6) bytes of the public key):   http://www.win.tue.nl/~bdeweger/CollidingCertificates/   2. Two post script files with the same MD5 digest:   http://www.cits.rub.de/MD5Collisions/   3. Two executables with the same MD5 digest:   http://cryptography.hyperlink.cz/2004/collisions.htm   4. There are even tools, for creating MD5 collisions, available:   http://www.codeproject.com/dotnet/HackingMd5.asp   I think that MD5 algorithm support should be removed from Windows and Java as well (as soon as possible, with the next release or service pack). By supporting MD5 algortihm we are leaving security holes in our applications and we are giving our users fake feeling of security. For example, my bank is still using certificates signed with MD5 algorithm for e-banking. We are approaching to disaster and it is a question of a day or a month when we will hit the ground.   Best regards, Milan     From: Dittmann, Werner [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 26, 2005 11:10 AM To: security-dev@xml.apache.org Subject: AW: MD5 algorithm in XSEC   Milan,   some users of w3c security stuff, such as OASIS WebService security specification also define and use MD5 together with Signature. Thus I would not recommend to remove it.   Regards, Werner   -----Ursprüngliche Nachricht----- Von: Milan Tomic [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 26. Oktober 2005 10:53 An: security-dev@xml.apache.org Betreff: MD5 algorithm in XSEC   Since MD5 digest algorithm is not recommended by W3C (http://www.w3.org/TR/xmldsig-core/#sec-MessageDigests ) we might consider removing it from XSEC?