[17022] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: MD5 collision in X509 certificates

daemon@ATHENA.MIT.EDU (Victor Duchovni)
Sun Mar 6 14:43:43 2005

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 5 Mar 2005 16:22:58 -0500
From: Victor Duchovni <Victor.Duchovni@MorganStanley.com>
To: Anne & Lynn Wheeler <lynn@garlic.com>
Cc: Cryptography <cryptography@metzdowd.com>
Mail-Followup-To: Anne & Lynn Wheeler <lynn@garlic.com>,
	Cryptography <cryptography@metzdowd.com>
In-Reply-To: <4229DCEF.8070301@garlic.com>

On Sat, Mar 05, 2005 at 09:23:11AM -0700, Anne & Lynn Wheeler wrote:

> Victor Duchovni wrote:
> >What is the significance of this? It seems I can get a certificate for
> >two public keys (chosen, not given) while only proving posession of the
> >first. Is there anything else? In what sense is the second public key
> >useful to the attacker?
> 
> the purpose of a certificate is analogous to the old letters of credit 
> in the sailing ship days .... it supposedly establishes the bonifides of 
> the individual in an offline, non-connected world where the relying 
> party has no other recourse regarding trust/integrity of the individual 
> that they are dealing with.
> 
> [...]

I've read very similar posts a few times before, and agree with them all
wholeheartedly! My question is however about this specific exposure. This
collision is between two keys generated together by the attacker, not
someone else's given key and another generated by the attacker. Yes,
this allows one to obtain a certificate for a public key whose private
key did not sign the CSR, but what does this mean in practice? It appears
that neither public key can be used to impersonate anyone else...

-- 

 /"\ ASCII RIBBON                  NOTICE: If received in error,
 \ / CAMPAIGN     Victor Duchovni  please destroy and notify
  X AGAINST       IT Security,     sender. Sender does not waive
 / \ HTML MAIL    Morgan Stanley   confidentiality or privilege,
                                   and use is prohibited.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
home help back first fref pref prev next nref lref last post