[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [saag] X.509 certificate collision, via MD5 collisions

To: ietf-pkix@xxxxxxx
Subject: RE: [saag] X.509 certificate collision, via MD5 collisions
From: Paul Hoffman <paul.hoffman@xxxxxxxx>
Date: Fri, 4 Mar 2005 09:45:57 -0800
In-reply-to: <7A3E1242FA9989439AD1F9B2D71C287F04274009@xxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <7A3E1242FA9989439AD1F9B2D71C287F04274009@xxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


At 10:46 AM -0500 3/4/05, Robert Zuccherato wrote:

However, I really wonder if we should be recommending that peoplechange their implementations at this point. I don't think we knowenough yet about the potential attacks on MD5, SHA-1 to say with anycertainty that any particular counter-measures are worthimplementing. This infrastructure was built assuming that peoplewill use strong hash functions. I see no reason at this point tochange that assumption. People should have stopped using MD5 a longtime ago. Over the next couple of years they will likely have tostop using SHA-1 as well. I think that is the real advice that weshould be giving people at this time.

The first sentence fully contradicts the last one. To use a new hashalgorithm is a *much* larger change than to have CAs change themethod they issue serial numbers; one involves changing everyvalidating client, the other doesn't.

There are also some practical problems with overloading the serial number.

The term "overloading" is silly here. Before now, no one has accusedVeriSign of "overloading" its serial numbers.

CRLs will, in most circumstances, increase in size. Also, OCSPresponders that pre-compute responses may have trouble pre-computing"good" responses if they cannot predict which serial numbers havebeen used. This issue would come up with responders that work fromCRLs and assume that a certificate is "good" if it's serial numberdoesn't appear on a CRL.

Those are valid points. However, weigh them against asking everyvalidating client to change its software (and not even assuring themthat they won't have to again later when we discover that the"better" hash algorithm has some other flaws). Which is the betterway to get the public to trust PKI more?

I'd also like to point out that the serial number proposal wouldonly help X.509 certificates and not CRLs, RFC 3161 time stamptokens (there was already a message to the CFRG list today showinghow to extend the MD5 X.509 work to 3161 tokens), OCSP responses,etc.

Please explain the attack scenario for these. What possible value isthere for a CRL signature spoofing attack, for example? As fortimestamps and OCSP responses, what Eric said yesterday still stands:if you are relying on a particular signed object for a valuabletransaction, keep the object around.


--Paul Hoffman, Director
--VPN Consortium

Follow-Ups:
- RE: [saag] X.509 certificate collision, via MD5 collisions
  - From: Stephen Kent

References:
- RE: [saag] X.509 certificate collision, via MD5 collisions
  - From: Robert Zuccherato

Prev by Date: Colliding RFC 3161 time-stamp tokens, via MD5-collisions
Next by Date: RE: [saag] X.509 certificate collision, via MD5 collisions
Previous by thread: RE: [saag] X.509 certificate collision, via MD5 collisions
Next by thread: RE: [saag] X.509 certificate collision, via MD5 collisions
Index(es):
- Date
- Thread