cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: Guillaume ROMAGNY <guillaume AT tiebogos.fr>
- To: cacert-sysadm AT lists.cacert.org
- Cc: Daniel Black <daniel AT cacert.org>, dieter.hennig AT id.ethz.ch
- Subject: Re: two possible MD5 hashed certificates in a chain
- Date: Tue, 12 Jan 2010 09:33:43 +0100
- Openpgp: id=EB42B796
- Organization: Springfield Nuclear Power Plant HeadQuarters
Hello,
Le 12.01.2010 07:16, Daniel Black a écrit :
> On Tuesday 15 December 2009 00:19:22
> dieter.hennig AT id.ethz.ch
> wrote:
>> Dear all,
>>
>> In reference to the two CAcert root certificates, both hashed by the
>> MD5-algorithm, I would like to ask you to please follow instructions as
>> seen below:
>>
>> http://wiki.cacert.org/Brain/Study/Bug665
>>
>
> I mentioned a plan to replace an intermediary certificate before. As a
> simpler
> alternate can we stop issuing certificates of the class3 and only issue
> them
> of the current class1/root cert?
>
> 1. get policy group to ok us moving all issuing off this the current root
> cert
> only.
>
> 2. prepare software changes and documentation changes to account for this
>
> 3. prepare blog press release and FAQ
>
> 4. switch software and release blog press release
>
> 5. answer all support questions
>
> 6. relax
>
> I think we've established that this bug 665 issue:
> 1. this is about the perception of security and its real risk is irrelevant
> 2. removing blocks to Universitaet Zuerich - Informatikdienste (UZH) and
> Institute of Technology Zurich (ETHZ) deploying it
> 3. is a separate issue from the new roots program
>
> This will make our software more incompatible with our planned CPS however
> I
> think the benefits are worth it. We've proved we can run multiple roots
> before
> and we can do it again when the audit comes around.
>
> Is this good/better/bad/ugly and why?
>
We can take this option
At least, we will solve the issue quickly and have time to plan
something else for replacing. The patch is limited to removing the
class3 options on several pages, then removing the config in the signing
machine.
On my side, I barely use CAcert class3 certs as the class1+class3 chains
doesn't offer much protection
--
Cordialement, Best regards,
Guillaume
Tiebogos (by L'Oreal), parce que je le 'veau' bien.
Vision without action is a daydream.
Action without vision is a nightmare. -- Japanese Proverb
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- Re: two possible MD5 hashed certificates in a chain, Daniel Black, 01/12/2010
- Re: two possible MD5 hashed certificates in a chain, Guillaume ROMAGNY, 01/12/2010
- Re: two possible MD5 hashed certificates in a chain, Ian G, 01/12/2010
- Re: two possible MD5 hashed certificates in a chain, Dieter Hennig, 01/12/2010
- Re: two possible MD5 hashed certificates in a chain, Ian G, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Philipp Gühring, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Andreas Bürki, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Ian G, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Andreas Bürki, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Philipp Gühring, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Ian G, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Guillaume ROMAGNY - CAcert support, 01/12/2010
- Re: two possible MD5 hashed certificates in a chain, Daniel Black, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Dieter Hennig, 01/12/2010
- Re: two possible MD5 hashed certificates in a chain, Mario Lipinski, 01/12/2010
Archive powered by MHonArc 2.6.16.