On Jan 2, 2014, at 10:57 AM, Jacob Appelbaum <[email protected]> wrote:
> I control the private key for the rouge CA that we created. True. However, that rogue CA is not trusted in any root pile, right? You holding a private key for a trusted CA was, appropriately a big deal. You holding a private key for an untrusted CA is uninteresting. >> As you certainly know, that attack only >> applied to a very limited number of CAs in the root piles at the >> time. > > I'm not sure where you came to this impression? By counting the number of CAs who used MD5 and had predictable serial numbers. > There were a few CAs who > were vulnerable, we picked one to perform the research. It worked. That > work produced a valid signature that we could apply to our second > certificate, which is a sub-CA certificate. Thus, the attack we did only > applied to a single CA and we did not destroy the private key for the > corresponding certificate. So yes, we most certainly do have the private > key for that intermediate certificate authority that we created. All true, but no longer relevant. >> I I remember correctly, it applied to zero of them >> approximately six months later. > > Unless one explicitly distrusts (all) MD5 signed certificates, pre-loads > our certificate to mark it as untrusted, or a few other things relating > to time constraints - it will probably still work for MITM attacks. It sounds like you are saying that the contents of the issued certificates don't need to be predictable for the collision to happen. That would be absurd. Again, please don't overstate the value of your demonstration. It was a very good thing because it got people to look and *and fix* the problem. Can you point to a single CA in any of the common trust stores that both use MD5 and issue certificates with less than 2^64 bits of unpredictability? > Many > applications fail to do proper constraint checking. Which is just fine. It should be up to the people putting together the trust pile to do the checking, not the relying parties. > I'm not overstating anything. We disagree. > I think you don't understand what we > actually did if you think that later, patching things will somehow > magically stop previously successful attacks... Ummm, where did I say anything about "patching"? I said that I believed that there were no more CAs who were vulnerable, and asked you to show where you thought there was. If you're right, then that's very valuable information. I don't see any more in the trust piles that I look through, but I could be missing something. --Paul Hoffman _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
