RE: Embedded certificate image

["Santosh Chokhani" <SChokhani@xxxxxxxxxxxx>]

Tim,

Depending on the nature of collision, randomly reordering extensions may
not help at all or may not provide sufficiently low probability of
successful collision.

> -----Original Message-----
> From: Timothy J. Miller [mailto:tmiller@xxxxxxxxx] 
> Sent: Monday, August 03, 2009 8:51 AM
> To: Tom Gindin
> Cc: Stefan Santesson; ietf-pkix; Santosh Chokhani
> Subject: Re: Embedded certificate image
> 
> Tom Gindin wrote:
> >         Stefan:
> > 
> >         While it is unreasonable to dictate what a CA can accept, I 
> > think that the Security Considerations section should say something 
> > like: "the information about the certificate subject 
> contained in the 
> > image SHOULD NOT include any graphic supplied by the 
> applicant".  The 
> > "tumor" construct which we saw in MD5 collisions could be 
> placed into 
> > such a graphic.  Thus if a CA were to construct a graphic 
> by inserting 
> > a customer-provided graphic into a template provided by the CA, it 
> > would be subject to the same attacks as MD5 certificates have been, 
> > but it would not be evident from the certificate syntax.
> 
> I'd rather require the CA to include a confounder in the 
> prefix than restrict the CAs ability to accept input.  There 
> are multiple places where a CA can do this; serial number 
> being one (but more or less difficult for some PKIs to 
> implement), random-skew validity periods being another.  To 
> confound a prefix using this extension, random reordering 
> extensions is enough.
> 
> -- Tim
>