Re: [saag] X.509 certificate collision, via MD5 collisions

[Paul Hoffman <phoffman@xxxxxxx>]

At 6:24 PM -0500 3/1/05, Russ Housley wrote:
> I have not had an opportunity to review this document yet, but the 
> findings need to be shared with the whole Internet security 
> community.
>
> > We announce a method for the construction of pairs of valid X.509 
> > certificates in which the "to
> > be signed" parts form a collision for the MD5 hash function. As a 
> > result the issuer signatures
> > in the certificates will be the same when the issuer uses MD5 as 
> > its hash function.
>
> http://eprint.iacr.org/2005/067

From the description in the paper, it appears that step 1 requires 
that the template for the certificate must be known before you create 
the two RSA keys. If that is true, then a CA who uses long serial 
numbers either randomly or based on a secret would automatically foil 
this attack. (I could be misreading the requirement, of course.)

--Paul Hoffman, Director
--Internet Mail Consortium