CAcert System Admins discussion list

[Mark Lipscombe <mark AT cacert.org>]

On 12/18/2009 6:34 PM, Roberto Mazzoni wrote:
> People have to install the root certficate in their browser anyway, in order
> to avoid warnings about the certificate. The intermediate certificate is sent
> by the server, no user action needed once the root certificate is installed.
> It's easy to replace or ad a Class 3 intermediate certficate on the server
> side. But since the current intermediate uses also MD5 hashes, we are not
> using it because it has no benefit. With a new intermediate whith SHA1 hash
> algorithmus, we would send out the certificate chain and only use this for
> signing certificates.
>
> FYI, another nice comment on MD5:
> http://my.opera.com/securitygroup/blog/2009/01/30/md5-in-certificates-what-is-happening

Roberto,

I fear that you misunderstand the actual vulnerability here.

Please read that Opera blog post carefully, and compare it to the 
current status quo at CAcert.

Lets examine some facts.  If I've mistaken any of these facts, someone 
please speak up and correct me.

* CAcert's root certificate is signed with MD5
* CAcert's "class 3" intermediate root is signed with MD5
* CAcert signs all new certificates issued to users under both the class 
1 and class 3 roots with SHA1

Assuming these facts to be correct, there is NO RISK from the currently 
published vulnerability.  It is simply not possible to generate a 
colliding certificate using the MD5 weakness published, because there is 
*no* MD5 signing taking place any more.

If you can't coax the CA in to *currently* signing a certificate with 
MD5, the problem disappears.

Please examine the trusted store of the applications you deploy, and 
check each certificate, you will find some still using MD5, however, 
like us, these CAs are no longer signing certificates with MD5.

Now, after understanding that CAcert is not vulnerable to the attack you 
describe, also realise that MD5 is a losing bet.  Each day with growing 
computational power and better methods, it gets a little bit less 
secure.  I've seen around the place that roots should consider it unsafe 
to use MD5 after 2010, and we are working towards issuing new roots 
before then anyway.

To sum up, the vulnerability you linked to us requires us to be 
currently signing new certificates with MD5.  It has nothing what so 
ever to do with the manner in which our roots were signed.

I'm not intimately involved in crypto matters, so I may have 
misunderstood or misstated something, so anyone please feel free to 
correct any inaccuracies.

Regards,
Mark