[Security] Rogue CAs

Eric Rescorla ekr at rtfm.com
Wed Dec 31 11:09:37 CST 2008

On Wed, Dec 31, 2008 at 8:58 AM, Ralph J.Mayer <rmayer at vinotech.de> wrote:
>> I sort of agree with this. Remember that this is a collision attack, so
>> it's only useful to the extent to which CAs continue to issue certificates
>> with MD5. My understanding is that all the remaining such CAs are
>> phasing it out *very* quickly if they haven't already done so.
> We'll see if they learned their lesson when sha1 is as broken as md5.

This is why it would be good to move to randomized sequence numbers now
to futureproof against this kind of attack even if SHA-1 is broken.


More information about the Security mailing list