[cap-talk] FW: x.509 -- MD5 considered harmful today
toby.murray at comlab.ox.ac.uk
Wed Dec 31 08:34:33 EST 2008
On Wed, 2008-12-31 at 02:16 +0000, Karp, Alan H wrote:
> Something else to worry about.
> > Subject: x.509 -- MD5 considered harmful today
> > Although nobody should be using MD5 to sign anything of value anymore,
> > this work on attacking chained certs is certainly interesting.
> > http://www.win.tue.nl/hashclash/rogue-ca/
The real upshot of this is that phasing out crypto algorithms is hard;
but crypto algorithms are broken overnight, often without warning. This
creates an obvious dilemma.
Another point to take home is that the entire HTTPS / PKI infrastructure
is only as strong as the weakest Certificate Authority. Coupled with the
inability to easily phase-out old algorithms, this indicates that there
will always exist a weakest link in this chain.
The only real assumption to make here is, given how easily (in relative
terms) they pulled this off, that someone else with bigger pockets and a
stronger incentive to do so must have already done it.
More information about the cap-talk