Duane wrote:
anyone else see this pdf?
http://eprint.iacr.org/2005/067.pdf
http://www.win.tue.nl/~bdeweger/CollidingCertificates/
My understanding following chit chat on crypto groups
was that they had not been able to create the *keys*
for the colliding certs - have you seen that part?
Whether they can create the keys is an open and
important question. If they cannot, then the cert is
useless (but annoying). If they can, then the cert
is broken. In simple terms...
Perhaps you should have read the second link a little better, not only
do they claim colliding keys, but actually posted them to their website...
Perhaps I should explain myself better - they published
colliding *certificates* but the do not indicate whether
they have extracted private keys to match the certs.
If they cannot extract a private key to match a colliding
cert, then they are incapable of creating a signature that
is verified by the cert.
At least, that is my understanding - did you see any
different?
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
