On Thu, Jan 2, 2014 at 1:57 PM, Jacob Appelbaum <ja...@appelbaum.net> wrote:
> Paul Hoffman: > > On Jan 1, 2014, at 10:22 AM, Jacob Appelbaum <ja...@appelbaum.net> > > wrote: > > > >> I do control the private key for the aforementioned intermediate > >> certificate[0] authority. :) > > > > No, you really do not. > > Unless one explicitly distrusts (all) MD5 signed certificates, pre-loads > our certificate to mark it as untrusted, or a few other things relating > to time constraints - it will probably still work for MITM attacks. Many > applications fail to do proper constraint checking. Anyone who trusts MD5 for signing any form of keying material is vulnerable to this type of attack. It does not matter whether there is a CA involved or not or the number of sub CAs. A variation of the attack could be performed on PGP or DNSSEC. The fix here is to disable MD5 completely in the browser or for CAs to not use MD5 in any certificate. The industry has chosen to do the second since we can't actually recall legacy browsers. However, Microsoft's recent decision to end of life SHA-1 will have the effect of rendering most of the legacy browsers unusable in any case. > Please don't overstate the results of > > the excellent research that you did; doing so diminishes the > > research. > > I'm not overstating anything. I think you don't understand what we > actually did if you think that later, patching things will somehow > magically stop previously successful attacks... > You are confusing people by using a valid attack against the algorithm to argue against the trust model. PKIX is designed on the assumption that the digest algorithm chosen is secure against a second preimage attack. We have a lot of security issues to deal with right now and we want to make sure we are paying attention to the ones that matter most. This is really not helping. -- Website: http://hallambaker.com/
_______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey
