A better approach to security

[Philipp Guehring <philipp AT cacert.org>]

Hi,
> If I understood correctly, the problem is the generation of forged
> certificates with the same MD5 as a genuine certificate by exploiting
> MD5 collisions.
genuine and predicted certificate, yes.
> Setting the CA flag in this forged certificate allows to sign other
> certificates on behalf of the rootCA.
Yes.
> So every certificat signed by its CA with the MD5 hash (or MD2 !!)  is
> suspect.
Yes.
> It should be enough to get rid of the rootCA using MD5, MD2 or worse
> to secure oneself because the chain of certification will be cut at
> the root.
No, because every Sub-CA of every rootCA can issue an MD5 certificate at
any time, and if you never see that certificate (because it was used
internally somewhere), you never know whether it it exists, or not.

> Any certificate deriving from those will be flagged as unverifiable.
Yes, but you can't classify a rootCA, since all rootCA's could be
affected, and in practice you never know, unless an attacker shows you
his collission.
> Looking at the rootCA certificat details, there is a field telling the
> hash algorithm used for signing. So it should be easy to recongnize
> the one using unsecure hash.
No, since the hash that is used for the root certificate can be a
different hash then the hash that was used for signing Sub-CA's or other
certificates.

> Is that assumption valid ?

No, it's far more complex, unfortunately.

Best regards,
Philipp Gühring