[PATCH] MD2 for libgcrypt

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Jul 19 19:38:30 CEST 2010

On 07/16/2010 03:29 PM, Stephan Mueller wrote:
> as the issue with the Verisign CA certificates would be solved with this
> patch and considering that the Verisign CAs are used pervasively, may I
> ask whether it is possible to add the Verisign CAs to com-certs.pem?

are you talking about certificates for the verisign root(s)?  or are you
talking about intermediate verisign CA certificate?

If it's the former, the digest used shouldn't matter -- what matters is
the public key material and any internal constraints set (e.g.
expiration dates).  Validating a self-signature (esp. one with a
known-weak digest) for a trusted root CA certificate is a basically
meaningless operation.

> However, I have one question: as far as I understand, the list in
> com-certs.pem are used as trusted certificates, not needing to reference
> them in trustlist.txt. However, the Verisign CA certs all need the
> "relax" flag as otherwise the CA cert is not accepted by gpgsm.

If there are specific warnings that come up in this use case with
Verisign CA certs, we should address those warnings as specific bugs
themselves unrelated to the MD2 implementation (or lack thereof).

I'm not arguing for discarding the offered MD2 patch (this functionality
would be good to have available), but i don't think it's relevant in the
scenario you're describing (at least as i understand it).

Are there specific bugs related to the use of verisign root CA certs?



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100719/31eeab26/attachment.pgp>

More information about the Gcrypt-devel mailing list