Hi, >> Alternatively, pull the root cert from which MD5 signatures were issued. >> As the MD5 attack still had considerable cost (for the hobby blackhat, >> not a 3-letter agency), it was deemed that this must suffice for a while. > > To make the discussion CT-compliant, having logs provide a list of > algorithms that are used by each CA would be a nice feature to enable > decisions like this.
Although, in the case you mention, that would not help all that much. Fortunately, the days of MD5 in X.509 are over. But in fact, I've been thinking for a while that an additional monitoring infrastructure would be a nice-to-have thing in addition to CT --- and, FWIW, also TACK --- I view both drafts as naturally complementing each other. CT, for example, is not meant to address the issue of whether certificates have been deployed correctly (e.g. correct host). I think active scans are still worthwhile to collect such information. Ralph -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
