On Wed, Dec 31, 2008 at 9:42 AM, Jonathan Schleifer <[email protected]> wrote: > "Eric Rescorla" <[email protected]> wrote: > >> Firefox 3 does OCSP checks. > > Not by default, no. It was either disabled by default or there was a > bug, I don't remember, but it doesn't work as expected by default.
Could be. I'd be interested in learning more about the status of OCSP deployment. >> s/Windows/Linux/. It's not exactly like those operating systems are >> perfect. > > As there are many distributions of Linux and most customized theirs, a > worm would be hard. I'm not convinced that's true. And since this attack is also hard, I don't think this is a very convincing argument. I notice you've elided the more important issue: whether this is really repeatable. You wrote: " And it's now publically known how you could forge the root CA. I'm pretty sure that will be used soon." I asked: "Really? As I stated earlier, VeriSign claims that they have fixed RapidSSL. Most of the other CAs on the list presented at CCC also are VeriSign properties and VeriSign claims that none of them are now vulnerable,. Are you actually aware of any CA that is still using MD5 and predictable sequence numbers?" It seems to me that this goes to the heart of whether this is a serious threat or just a demonstration. So, again: are you aware of a CA which is widely trusted and is actually vulnerable to this form of collision attack? -Ekr
