Re: [OpenCA-Devel] MD5 collisions on X509 certs

Ives Steglich Fri, 25 Mar 2005 07:08:30 -0800

Ives Steglich wrote:
> Tiller, Robert wrote:
> 
>>       
>>
>>I’ve submitted a bug id for the MD5/X509 cert collision reported by
>>Lenstra, Wang and Weger.
>>
>>The PDF files is attached to the bug report.
>>
>>Using SHA instead of MD5 avoids the collision. 
>>
>>Recommend we only use SHA to sign certs.
>>
>>any comments?
>>
> 
> we can'T just not support md5, since the standard requires we support
> it... what the user does, is the users choice,
> 
> and sha1 is the defaul ;)
> 
> so i don't see 'a problem' in this right now...
> since the policies are made by the users - we just provide
> some default options - and those are 'safe'


so - what i wanted to say:
its not a bug of openca - its a bug of the standard
and our standard settings are safe since they use sha1

- we may add a recommendation to users in the documentation, maybe on
the website - not to use md5 anymore, since it has to be considered
dangerous in usage with certificates

- we may print a warning if certificates with md5 are to be issued


greetings
dalini


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
OpenCA-Devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-devel

Re: [OpenCA-Devel] MD5 collisions on X509 certs

Reply via email to