>From my understanding, MD2 and MD5 is unsafe because one can forge one thing (such as, a certificate) with different content, but the same signature. If we continue support verification based on MD2 and MD5, it also means that the attack with the forged certification works. We may not be able to prevent attacks with forged thing (or certificates) any more.
Xuelei On 12/18/2010 5:01 AM, Michael StJohns wrote: > Is it possible to deprecate the signing part of the mechanism while requiring > the verification part? > > There's a whole pile of MD5withRSA and MD2withRSA root certificates. > Obviously, you don't want to support further signatures, but it would be > useful if you can still verify. > > Or too much work? > > Mike > > > > At 03:35 PM 12/17/2010, Sean Mullan wrote: >> On 12/16/10 1:26 PM, Sean Mullan wrote: >>>>> On 12/15/10 10:38 AM, Florian Weimer wrote: >>>> Oh, and I just realized that MD5 and HmacMD5 are missing. These >>>> algorithms are still heavily used (and HmacMD5 is not really broken, >>>> it's only guilty by association). >>> >>> Yes, MD5 is still in use, but I think it is decreasing in use >>> significantly. Can >>> you give more rationale, for example data that would suggest that not making >>> these algorithms a requirement would affect a significant number of Java >>> applications or where SHA-1/HmacSHA1 would not be an adequate alternative? >>> >>> Also, just FYI but we have no plans to remove support for MD5 and HmacMD5 >>> from >>> OpenJDK. >> >> It was pointed out to me that TLS 1.0 requires MD5 and HmacMD5. Since we >> have listed TLS 1.0 as a requirement, then those should really be added to >> the required algorithms list. So, I've added those to the list and posted a >> new version at: >> >> http://cr.openjdk.java.net/~mullan/5001004/review.01/StandardNames.html#impl >> >> --Sean > >
