At 8:39 AM -0800 12/30/08, Nelson B Bolyard wrote: >The upshot of this is probably going to be that, in a short time, all >the world's browsers (and PKI software in general) stop supporting MD5 >for use in digital signatures.
That is not what the paper advocates. It suggests stopping support for MD5 in the signature algorithm for *trust anchors*, not in other messages. It should probably have also made the same recommendation for the signature algorithm in intermediate certificates as well (I take partial blame for it not saying that...). The attack outlined is a collision attack, not a preimage attack. Signed messages that use MD5 in the signature algorithm, but where the content of the message is determined by the signer, are not affected by the attack. Thus, if we "stop supporting MD5 for use in digital signatures" we will needlessly affect probably tens of thousands of legitimate web sites for which there is absolutely no known attack. Of course, the trust anchor store for Firefox should be revised as soon as possible to include no trust anchors that use MD5 in their signature algorithm. Similarly, the trust anchor store for Firefox should be revised as soon as possible to include no trust anchors that use MD5 in their signature algorithm. Although the attack described in the paper does not directly affect MD2, it is very likely that the same math used by the researchers could be applied to MD2 as well. --Paul Hoffman _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto