RE: [saag] X.509 certificate collision, via MD5 collisions

[Stephen Kent <kent@xxxxxxx>]

At 9:45 AM -0800 3/4/05, Paul Hoffman wrote:
> At 10:46 AM -0500 3/4/05, Robert Zuccherato wrote:
> > However, I really wonder if we should be recommending that people 
> > change their implementations at this point.  I don't think we know 
> > enough yet about the potential attacks on MD5, SHA-1 to say with 
> > any certainty that any particular counter-measures are worth 
> > implementing.  This infrastructure was built assuming that people 
> > will use strong hash functions.  I see no reason at this point to 
> > change that assumption.  People should have stopped using MD5 a 
> > long time ago.  Over the next couple of years they will likely have 
> > to stop using SHA-1 as well.  I think that is the real advice that 
> > we should be giving people at this time.
>
> The first sentence fully contradicts the last one. To use a new hash 
> algorithm is a *much* larger change than to have CAs change the 
> method they issue serial numbers; one involves changing every 
> validating client, the other doesn't.
>
> > There are also some practical problems with overloading the serial number.
>
> The term "overloading" is silly here. Before now, no one has accused 
> VeriSign of "overloading" its serial numbers.

Paul,

This is not entirely true.  I have noted in the past that there are 
subtle vulnerabilities associated with issuing serial numbers that 
are not serial. This is a concern with VeriSign and with the CA built 
into Microsoft desktop product as well.  Still, IF the collision 
problem is determined to be a serious concern, then I agree that 
changing the serial number generation process has much less impact 
than changing the hash algorithm.

Steve