Tom Gindin wrote:
Stefan:
While it is unreasonable to dictate what a CA can accept, I think
that the Security Considerations section should say something like: "the
information about the certificate subject contained in the image SHOULD
NOT include any graphic supplied by the applicant". The "tumor" construct
which we saw in MD5 collisions could be placed into such a graphic. Thus
if a CA were to construct a graphic by inserting a customer-provided
graphic into a template provided by the CA, it would be subject to the
same attacks as MD5 certificates have been, but it would not be evident
from the certificate syntax.
I'd rather require the CA to include a confounder in the prefix than restrict the CAs ability to accept input. There are multiple places where a CA can do this; serial number being one (but more or less difficult for some PKIs to implement), random-skew validity periods being another. To confound a prefix using this extension, random reordering extensions is enough.
-- Tim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature