At 10:19 PM -0500 12/30/08, Jerry Leichter wrote: >Robert Graham writes in Errata Security >(http://erratasec.blogspot.com/2008/12/not-all-md5-certs-are-vulnerable.html) >that the attack depends on being able to predict the serial number field that >will be assigned to a legitimate certificate by the CA.
That part is true. >Only a few CA's use predictable "serial numbers" That part, I think, is wrong. I looked into this a bit earlier this month and found that most of the ones I looked at are still using sequential numbers. >- the field is actually arbitrary text If by "arbitrary text" you mean "a non-negative integer". >and need only be certainly unique among all certificates issued by a given CA. True as well. >So: The current attack is only effective against a very small number of CA's >which both use MD5 *and* have predictable sequence numbers. The attack is on end users who trust a root store that has a trust anchor from *any single* CA that uses MD5 and has predictable sequence numbers. The attack lets the attacker become a subordinate CA for that CA. At that point, the attacker can issue their own certs for any purpose. >So the sky isn't falling It never does. That's why it is the sky. >- though given how hard it is to "decertify" a CA (given that the "known good" >CA's are known to literally billions of pieces of software, and that hardly >anyone checks CRL's - and are there even CRL's for CA's?) this is certainly >not a good situation. There are not CRLs for CAs. That's why is it is a root store. Oh, and how do you create a definitive list of CAs that use MD5 in their signatures? >This also doesn't mean that, now that the door has been opened, other attacks >won't follow. In fact, it's hard to imagine that this is the end of the >story.... Quite right. --Paul Hoffman, Director --VPN Consortium --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [email protected]
