Re: Questions about MD5+CA

[Alexander Sotirov <alex () sotirov net>]

On Tue, Dec 30, 2008 at 12:43:30PM -0500, Dave Aitel wrote:
> So if someone was able to get a root CA for $20000 - shouldn't we
> remove the RapidSSL root CA from our browsers with the next browser
> update? I don't see why people think this would be hard to replicate
> and hasn't been done previously to RapidSSL. Is it because no one
> other than that one team can do math or buy PS3s?
>
> Microsoft's advisory on this is essentially defaulting to the "No one
> else has ever done this" position. This is weird. Trusted Roots that
> could have been used to sign these things need to get re-issued,
> right? What am I missing here?

I agree. If revoking a root CA cert is so inconvenient or Internet-breaking
that it can't be done even after an attack on the root has been demonstrated in
practice, then our trust in the PKI system is perhaps misplaced.

If they don't revoke the root, the security of the PKI system from now until
2020 (when the RapidSSL cert expires) will rely on the assumption that our team
did not make a second CA cert that nobody knows about and that nobody else did
either. We didn't, but how can we possibly prove that? How can any CA that used
MD5 prove beyond doubt that they have not signed a colliding key in the past?

The lesson here is that if you have a mechanism like CA root revocation, you
need to regularly exercise it, otherwise you won't be ready to use it when the
real need arises. Perhaps we need to start revoking one randomly selected root
each year to get everybody used to the idea and ready to do it for real when
there is a real threat. We to drills and practice evacuating buildings for
earthquakes and fires, so why not for online threats?

Alex

Attachment: _bin
Description:

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave