> -----Original Message----- > From: Milan Tomic [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 27, 2005 10:43 AM > To: [email protected] > Subject: RE: MD5 algorithm in XSEC
> Are you aware of recent collision findings for MD5 algorithm? > > > I think that MD5 algorithm support should be removed from > Windows and Java as well (as soon as possible, with the next > release or service pack). By supporting MD5 algortihm we are > leaving security holes in our applications and we are giving > our users fake feeling of security. For example, my bank is > still using certificates signed with MD5 algorithm for > e-banking. We are approaching to disaster and it is a > question of a day or a month when we will hit the ground. Milan, from an academic point of view you are certainly right. But the MD5 Algorithm is still widely used, so removing MD5 would lead me into serious trouble. I receive XML-Files from embedded systems for example; these systems cannot be updated (theoretically they can, but how pays?). "Security" is a consideration between risk, cost and convenience. Even with a pessimistic point of view the risk that somebody changes my xml-files having the same hash is extremely low. So there is only little reason for me to change this. This is just an example, I think there arer several applications that need MD5. So I would vote to leave MD5-support as is, since it is standard conformand up today. Surely, I would not recommend using it, but what when you get signed files from an external source? Sometimes (like me) you just get the files, without a chance to change the behaviour of the foreign system. Regards Matthias
