Problem with certificate - follow up
Thu Oct 2 18:13:01 2003
On Thu, 2 Oct 2003 13:59:15 +0200, Luca M G Centamore said:
> So I guess the problem is the md2WithRSAEncryption algorithm.
We don't support MD2 because it is an ancient, proprietary and useless
algorithm. From rfc4559:
7.1.1 MD2 One-way Hash Function
MD2 was developed by Ron Rivest for RSA Data Security. RSA Data
Security has not placed the MD2 algorithm in the public domain.
Rather, RSA Data Security has granted license to use MD2 for non-
commercial Internet Privacy-Enhanced Mail. For this reason, MD2 may
continue to be used with PEM certificates, but SHA-1 is preferred.
MD2 produces a 128-bit "hash" of the input. MD2 is fully described
in RFC 1319 [RFC 1319].
At the Selected Areas in Cryptography '95 conference in May 1995,
Rogier and Chauvaud presented an attack on MD2 that can nearly find
collisions [RC95]. Collisions occur when one can find two different
messages that generate the same message digest. A checksum operation
in MD2 is the only remaining obstacle to the success of the attack.
For this reason, the use of MD2 for new applications is discouraged.
It is still reasonable to use MD2 to verify existing signatures, as
the ability to find collisions in MD2 does not enable an attacker to
find new messages having a previously computed hash value.
So this used to be trade secret thing but by describing the algorithm
and allowing to use it for certain tasks (i.e. non-commercial use of
the obsolte and insecure PEM), they can for sure make a better case
than SCO will ever be able to do.
> Any workaround?
Werner Koch <email@example.com>
The GnuPG Experts http://g10code.com
Free Software Foundation Europe http://fsfeurope.org