Fake CA MD5 questions

["Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade () shaw ca>]

Date sent:              Tue, 30 Dec 2008 12:09:36 +0100
From:                   Jacob Appelbaum <jacob () appelbaum net>

> http://events.ccc.de/2008/12/30/the-cat-is-out-of-the-bag/
>
> MD5 considered harmful today: Creating a rogue CA certificate

OK, this is already hitting the mainstream media, and some real assessments are 
going to be needed.

The Bad Guys (TM) have been using fake or self-signed certs for a while.  We can 
expect them to build a fake CA cert to start using for phishing sites shortly.  
(Although I wonder why they'd even bother ...)

First, you need 5 CAs that use MD5 hashes.  How many do that?  How many CAs 
use *only* MD5s?  Is it possible to revoke all the MD5 certs and push that out to 
all the browser updates within the next few weeks?  Would that be effective?

Is this attack effective against SHA-1?  How much longer would it take?

Others?

======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
I'm never going to be famous. My name will never be writ large on
the roster of Those Who Do Things. I don't do any thing. Not one
single thing. I used to bite my nails, but I don't even do that
any more.         - famous American reviewer and wit, Dorothy Parker
victoria.tc.ca/techrev/rms.htm blogs.securiteam.com/index.php/archives/author/p1/
http://blog.isc2.org/isc2_blog/slade/index.html
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.