[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CAcertificate
> I sent my last message a bit too hastily. Other ideas that I was
> contemplating should have been mentioned including:
> - remove any unrecognized extensions
> - remove tumors
> Those could potentially cause problems if for some reason they were
> actually needed. This one, though, shouldn't cause trouble:
> - add a private EKU with a random number (or two) in the OID
> That would not mess up the serial number scheme in use or modify the
> subject name as has been suggested.
Or add a non-critical extension with some randomness in it...
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@xxxxxxxxxxxxxxxxxxxxx, PGP key: via homepage.