On Wed, Sep 16, 2009 at 12:02:11AM +0200, Philipp Kern wrote: > On Tue, Sep 15, 2009 at 11:37:22PM +0200, Moritz Muehlenhoff wrote: > > Certificates with MD2 hash signatures are no longer accepted by OpenSSL, > > since they're no longer considered cryptographically secure. > > looking at ca-certificates it would affect those certs from the Mozilla > truststore: > > Verisign_Class_1_Public_Primary_Certification_Authority.crt > Verisign_Class_2_Public_Primary_Certification_Authority.crt > Verisign_Class_3_Public_Primary_Certification_Authority.crt > Verisign_RSA_Secure_Server_CA.crt > > Those are Root CAs with MD2 signatures on them. This does not mean that they > use MD2 to sign others, of course. Are those an attack vector and ought those > to be dropped from the package? Especially as we store them on the user's > system it should not be possible to spoof another key with a hash collision > as only the one on disk should be trusted?
Since MD2 is ignored, no spoofing should be possible. And as long as top-level self-signatures aren't checked[1], it should be fine to leave those certs until they are updated (AFAIK, Verisign has re-signed their top-level certs with SHA-1). -Kees [1] http://marc.info/?l=openssl-cvs&m=124508133203041&w=2 -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
