Dailydave mailing list archives
Re: Questions about MD5+CA
From: Dave Aitel <dave () immunityinc com>
Date: Fri, 02 Jan 2009 12:15:32 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Totally. This was a good opportunity for Mozilla or the IE team to be thought leaders in security, and neither stepped up. The right thing to do would have been to announce an update that disabled the root CA in 10 days. That gives everyone ten days to get a new certificate from somewhere else. Security is about hard choices. Currently, we're all about sticking our heads in the sand - which devalues SSL as a security protocol entirely. In my role as CTO at Immunity I try to do similar things: our newest researcher Skylar is learning about this the hard way when she calls up asking why her shiny new dell laptop does not yet support wireless. :> - -dave
I agree. If revoking a root CA cert is so inconvenient or Internet-breaking that it can't be done even after an attack on the root has been demonstrated in practice, then our trust in the PKI system is perhaps misplaced. If they don't revoke the root, the security of the PKI system from now until 2020 (when the RapidSSL cert expires) will rely on the assumption that our team did not make a second CA cert that nobody knows about and that nobody else did either. We didn't, but how can we possibly prove that? How can any CA that used MD5 prove beyond doubt that they have not signed a colliding key in the past?
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJXkuztehAhL0gheoRAkzcAJ91MJXkxMORc3ft4Hl22XTvUavxRACaA10F b45C+Bh5he3BkQbwUANGgEM= =QsTJ -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Questions about MD5+CA Alexander Sotirov (Jan 01)
- Re: Questions about MD5+CA Dave Aitel (Jan 02)
- Re: Questions about MD5+CA wishi (Jan 02)
- Re: Questions about MD5+CA Jon Oberheide (Jan 03)
- Re: Questions about MD5+CA wishi (Jan 02)
- Re: Questions about MD5+CA Dave Aitel (Jan 02)