Re: [saag] X.509 certificate collision, via MD5 collisions

[Eric Rescorla <ekr@xxxxxxxx>]

Stephen Kent <kent@xxxxxxx> writes:
> At 9:45 AM -0800 3/4/05, Paul Hoffman wrote:
>>At 10:46 AM -0500 3/4/05, Robert Zuccherato wrote:
>>> However, I really wonder if we should be recommending that people
>>> change their implementations at this point.  I don't think we know
>>> enough yet about the potential attacks on MD5, SHA-1 to say with
>>> any certainty that any particular counter-measures are worth
>>> implementing.  This infrastructure was built assuming that people
>>> will use strong hash functions.  I see no reason at this point to
>>> change that assumption.  People should have stopped using MD5 a
>>> long time ago.  Over the next couple of years they will likely have
>>> to stop using SHA-1 as well.  I think that is the real advice that
>>> we should be giving people at this time.
>>
>> The first sentence fully contradicts the last one. To use a new hash
>> algorithm is a *much* larger change than to have CAs change the
>> method they issue serial numbers; one involves changing every
>> validating client, the other doesn't.
>>
>>>There are also some practical problems with overloading the serial number.
>>
>> The term "overloading" is silly here. Before now, no one has accused
>> VeriSign of "overloading" its serial numbers.
>
> Paul,
>
> This is not entirely true.  I have noted in the past that there are
> subtle vulnerabilities associated with issuing serial numbers that are
> not serial. This is a concern with VeriSign and with the CA built into
> Microsoft desktop product as well.  Still, IF the collision problem is
> determined to be a serious concern, then I agree that changing the
> serial number generation process has much less impact than changing
> the hash algorithm.

Steve,

By "not serial" do you mean "not monotonically increasing" or do you
mean "must increase by one each time"?

Thanks,
-Ekr