[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Cfrg] [saag] Further MD5 breaks: Creating a rogue CAcertificate
At Thu, 01 Jan 2009 07:51:38 -0800,
> Is there anything that could be added to RP software to reliably
> detect and thwart the use of a rogue CA certificate? Or would
> any attempt to do that just cause too many problems?
> Mike (who is writing "I am not a security expert" 100 times on
> the chalkboard)
You could certainly add a check for this particular certificate
and any others you discovered. To the extent to which CAs no
longer use MD5, this would likely quickly clean up the damage.
It's less clear that you could safely detect this kind of
cert in a generic way.