Security team successfully cracks SSL using 200 PS3's and MD5
jgreco at ns.sol.net
Sun Jan 4 14:05:44 CST 2009
> * Brian Keefer:
> > My apologies if you were commenting on some other aspect, or if my
> > understand is in some way flawed.
> I don't think so.
> There's a rule of thumb which is easy to remembe: Never revoke
> anything just because some weak algorithm is involved. The rationale
> is that that revocation is absolute and (usually) retroactive, but we
> generally want a more nuanced approach. If certain algorithms are too
> weak to be used, this is up to the relying party to decide whether
> it's fine in a particular case. On the other hand, replacing
> MD5-signed certificates in the browser PKI is costly, but the overhead
> is very finely dispersed (assuming that reissuing certificates has
> very little overhead at the CA). I think it's doable if the browser
> vendors could agree on a flag date after which MD5 signatures on
> certificates are no longer considered valid.
> (The implicit assumptions in that rule of thumb do not always apply.
> For instance, if weak RSA keys are discovered which occur with
> sufficiently high probability as the result of the standard key
> generating algorithms to pose a real problem, the public key may not
> reveal this property immediately, it may only be evident from the
> private key, or only after a rather expensive computation. In the
> latter case, we would be in very deep trouble.)
Other faulty assumptions are that the "relying party" (usually part/ies/)
are actually made aware, and actually make an informed decision, or that
revocation is the first step in efforts to motivate replacement of a cert,
which probably is exactly opposite what I have suggested...
Rules of thumbs about weakness of algorithms are suspect because things
change over time; your rule of thumb above might have been applied to
40-bit encryption, but I don't see much 40-bit stuff around anymore. :-)
The opinions on whether or not it is necessary to replace certs seems to
vary depending on whose opinion you're listening to, but a relatively safe
rule of thumb for this sort of security issue is to take the path that is
most likely to avoid risk, which would seem to be replacing certs. To the
extent that VeriSign is already doing this, it would seem that there is a
certain level of agreement with that assessment.
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the NANOG